PHPackages sbominator/sbom-lib - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. sbominator/sbom-lib ActiveLibrary[Security](/categories/security) sbominator/sbom-lib =================== SBOMinator Library v0.5.0(1y ago)0576↓100%1[2 PRs](https://github.com/sbominator/lib/pulls)3MITPHPPHP >=8.2CI passing Since Mar 16Pushed 1y ago3 watchersCompare [ Source](https://github.com/sbominator/lib)[ Packagist](https://packagist.org/packages/sbominator/sbom-lib)[ Docs](https://github.com/sbominator/package)[ RSS](/packages/sbominator-sbom-lib/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (8)DependenciesVersions (15)Used By (3) SBOMinator Library ================== [](#sbominator-library) What it is ---------- [](#what-it-is) This library can be used as a multi-channel dependency tracker. It can parse the following files: - Composer Lockfiles - NPM Lockfiles - CycloneDX SBOMs - SPDX SBOMs How it works ------------ [](#how-it-works) The library uses a parser interface to parse the files. You can then use the parser to get the dependency tree of the file. Dependencies are represented as a tree structure, with each node containing the name of the dependency and its version. How to use it ------------- [](#how-to-use-it) ### Installation [](#installation) Run `composer require sbominator/sbom-lib` to install the library. ### With ddev [](#with-ddev) For easier development across machines, you can use ddev to run the project locally. You can install ddev by following the instructions at . After checking out the project, you can run `ddev start` to start the project. Use `ddev ssh` to get a shell in the running container. You can then run `composer install` in the shell to install the dependencies. ### Usage [](#usage) ### Using the generator [](#using-the-generator) #### Load up the generator of your choice and generate from a dependency tree. [](#load-up-the-generator-of-your-choice-and-generate-from-a-dependency-tree) ``` $generator = new SpdxSBOMGenerator($dependencies); $SBOMstring = $generator->generate(); ``` ### Using the scanner [](#using-the-scanner) #### Load up the scanner of your choice. [](#load-up-the-scanner-of-your-choice) ``` use SBOMinator\Lib\Scanner\FileScanner; /* * You can pass the maximum depth of the subdirectories to scan (default is 10) * and an array of file extensions to scan for. (If you want to work with all available parsers, you can use the default ['json', 'lock']) */ $fileScanner = new FileScanner(10, ['json', 'lock']); ``` #### Scan a directory [](#scan-a-directory) Use the scanForDependencies() method to scan a directory for files that the scanner supports. ``` $dependencies = $fileScanner->scanForDependencies(getcwd()); ``` ### Using the parser [](#using-the-parser) #### Load up the parser of your choice. [](#load-up-the-parser-of-your-choice) ``` use SBOMinator\Parser\ComposerParser; $parser = new ComposerParser(); // You can omit dev packages if you want by calling withoutDevPackages() on the parser. $parser = (new ComposerParser())->withoutDevPackages(); ``` #### Parse a file that the parser supports [](#parse-a-file-that-the-parser-supports) You can pass a file path to the parser: ``` $parser->loadFromFile('composer.lock'); ``` You can also pass the contents of a file as string to the parser: ``` $parser->loadFromString(file_get_contents('composer.lock')); ``` ##### Retrieve the Dependency Tree [](#retrieve-the-dependency-tree) ``` $dependencyTree = $parser->parseDependencies(); ``` Contributing ------------ [](#contributing) please see [CONTRIBUTING.md](CONTRIBUTING.md) for more information. ### Health Score 33 — LowBetter than 75% of packages Maintenance46 Moderate activity, may be stable Popularity16 Limited adoption so far Community19 Small or concentrated contributor base Maturity47 Maturing project, gaining track record Bus Factor1 Top contributor holds 50.6% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 8 Last Release 422d ago PHP version history (2 changes)0.1.0PHP >=8.3 v0.2.1PHP >=8.2 ### Community Maintainers ![](https://www.gravatar.com/avatar/d7d443c422d11308c5b1fdf7020c15dbf3a1b80a2e15c846383f0594f6c0bb1c?d=identicon)[sbominator](/maintainers/sbominator) --- Top Contributors [![patricebender](https://avatars.githubusercontent.com/u/23496018?v=4)](https://github.com/patricebender "patricebender (41 commits)")[![hacklian](https://avatars.githubusercontent.com/u/138112783?v=4)](https://github.com/hacklian "hacklian (34 commits)")[![johnbillion](https://avatars.githubusercontent.com/u/208434?v=4)](https://github.com/johnbillion "johnbillion (3 commits)")[![ohader](https://avatars.githubusercontent.com/u/402145?v=4)](https://github.com/ohader "ohader (2 commits)")[![nullbytes](https://avatars.githubusercontent.com/u/520806?v=4)](https://github.com/nullbytes "nullbytes (1 commits)") --- Tags securitySBOM ### Embed Badge ![Health badge](/badges/sbominator-sbom-lib/health.svg) ``` [![Health](https://phpackages.com/badges/sbominator-sbom-lib/health.svg)](https://phpackages.com/packages/sbominator-sbom-lib) ``` ### Alternatives [phpseclib/phpseclib PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc. 5.6k434.8M1.3k](/packages/phpseclib-phpseclib)[defuse/php-encryption Secure PHP Encryption Library 3.9k162.4M214](/packages/defuse-php-encryption)[mews/purifier Laravel 5/6/7/8/9/10 HtmlPurifier Package 2.0k16.7M113](/packages/mews-purifier)[robrichards/xmlseclibs A PHP library for XML Security 41278.1M118](/packages/robrichards-xmlseclibs)[voku/anti-xss anti xss-library 72317.1M77](/packages/voku-anti-xss)[spatie/laravel-csp Add CSP headers to the responses of a Laravel app 8519.6M19](/packages/spatie-laravel-csp) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)