Add composer.json as source for component detection

microsoft / component-detection

Scans your project to determine what components you use

MIT License

412 stars 87 forks source link

Add composer.json as source for component detection #977

Open JuergenGutsch opened 7 months ago

JuergenGutsch commented 7 months ago

I initially created the issue here https://github.com/microsoft/sbom-tool/issues/478, but it seemed to be the wrong repo.

Composer is a dependency manager for PHP: https://getcomposer.org/

It would be cool to also create an SBOM out of composer.json files. That's why I ask you to add composer.json as a source for component detection. I would also be happy to help if needed.

Thanks, Juergen

AB#2140410

JuergenGutsch commented 7 months ago

I think I will create a PR for you soon.

felickz commented 1 month ago

Composer is a supported ecosystem by the GitHub Advisory Database so this would be an awesome opportunity to support PHP with Advanced Security for Azure DevOps!

JuergenGutsch commented 1 month ago

I didn't continue working on that, because I had to look into CycloneDX, which supports almost all platforms to create SBOMs. I had the requirement to evaluate a dependency tracker, that checks for vulnerabilities against CVE databases like the GitHub Advisory Database. This is why I stumbled upon this repo and CyclonDX...

However, I will finish the Composer PR within the next two weeks. It is basically a clone of the NPM version. Nothing special.