search

CycloneDX / cyclonedx-php-composer

Create CycloneDX Software Bill of Materials (SBOM) from PHP Composer projects
https://cyclonedx.org/
Apache License 2.0
46 stars 7 forks source link

have a `.phar` released #164

Open jkowalleck opened 2 years ago

jkowalleck commented 2 years ago

Is your feature request related to a problem? Please describe.

on CI, i always need to have a php composer available in order to create an SBOM of a composer.lock

Describe the solution you'd like

have a bundled .phar added to every release, that includes composer & the CDX composer plugin

Additional context

acc / crit

jkowalleck commented 1 year ago

maybe utilize https://github.com/box-project/box ?

llaville commented 1 year ago

maybe utilize https://github.com/box-project/box ?

Or just https://github.com/llaville/box-manifest === box + manifests (feature missing in standard box project)

Latest version 3.3.x include CycloneDX XML and JSON versions all specifications (1.1 until 1.4 are supported)

llaville commented 1 year ago

FYI: I worked on a prototype of GiHub Action for BOX Manifest (see https://github.com/llaville/box-manifest/issues/8).

I'll allow to build either :

jkowalleck commented 1 year ago

@llaville you realize that this product is already an SBOM generator?

I do not see a point in using anything else than cyclonedx-php-composer to generate the SBOM of cyclonedx-php-composer.

llaville commented 1 year ago

@jkowalleck As you don't understand, i won't anoying you anymore !

theofidry commented 8 months ago

If having a Composer PHAR with the plugin then you probably would need to actually replicate the Composer build process. I didn't try in a long time I think doing box compile on the Composer project won't work as there is a few preparatory steps.

To expend a bit on https://github.com/llaville/box-manifest, when @llaville built is a tiny application that is shipped with the built PHAR that can export a manifest, SBOM or other. This is a separate project as I personally preferred to have a less invasive way and rather opt for having one idiomatic manifest shipped in the PHAR, and then Box could show/export that manifest in different formats. So whilst it's a different approach, we both strive to provide an easier way to provide a SBOM for PHARs.

I only had a quick look in order to have this feature within Box itself but strikes me about this project (unless I missed something which is well possible) is the lack of a clear API to generate the SBOM:

If I understand correctly, https://github.com/CycloneDX/cyclonedx-php-library is the library providing the API to build an SBOM. What I feel is missing (and what I mean by "clear API to generate the SBOM") is a manifest builder for a given existing Composer manifest. For example a function that takes the content of composer.lock/installed.json (I am not sure which one is more reliable) and generates the content of the SBOM manifest. For example:

SbomManifestFactory::fromComposerLock(string $composerLockContents): string

Then be it Composer itself, a Composer plugin, Box, BoxManifest, it's a lot easier to build around as each can adapt the console API used (Composer API, Symfony Console or other) and from where the composer manifest comes from.

PS: Sorry for kinda hijacking this issue... PS2: It's really a nitpick, but I find very strange to have CycloneDX:make-sbom as a command name rather than cyclonedx:make-sbom. Maybe it's just me though

jkowalleck commented 8 months ago

re https://github.com/CycloneDX/cyclonedx-php-composer/issues/164#issuecomment-1774675478

  1. install this composer plugin - this will add a new command to composer
  2. run composer CycloneDX:make-sbom and generate your BOM.

please create a new issue or discussion for further conversations