cyclonedx-php-composer
cyclonedx-php-composer copied to clipboard
CycloneDX
have a `.phar` released
Is your feature request related to a problem? Please describe.
on CI, i always need to have a php composer available in order to create an SBOM of a composer.lock
Describe the solution you'd like
have a bundled .phar added to every release, that includes composer & the CDX composer plugin
Additional context
acc / crit
- phar includes a version of php composer & CDX plugin
- phar bundles pinned versions of all dependencies
- lock file in the repo
- add SBOM to PHAR for to know what is in it
- building PHAR is automated part of very release
- CI tests to build PHAR and execute integration/demos on every CT run
- IDEA: https://github.com/humbug/php-scoper is part of build process
maybe utilize https://github.com/box-project/box ?
Or just https://github.com/llaville/box-manifest === box + manifests (feature missing in standard box project)
Latest version 3.3.x include CycloneDX XML and JSON versions all specifications (1.1 until 1.4 are supported)
FYI: I worked on a prototype of GiHub Action for BOX Manifest (see https://github.com/llaville/box-manifest/issues/8).
I'll allow to build either :
- a standard box project (PHAR distrib)
- a standard box project with any manifests and custom stub (to support display phar manifests at runtime)
@llaville you realize that this product is already an SBOM generator?
I do not see a point in using anything else than cyclonedx-php-composer to generate the SBOM of cyclonedx-php-composer.
If having a Composer PHAR with the plugin then you probably would need to actually replicate the Composer build process. I didn't try in a long time I think doing box compile on the Composer project won't work as there is a few preparatory steps.
To expend a bit on https://github.com/llaville/box-manifest, when @llaville built is a tiny application that is shipped with the built PHAR that can export a manifest, SBOM or other. This is a separate project as I personally preferred to have a less invasive way and rather opt for having one idiomatic manifest shipped in the PHAR, and then Box could show/export that manifest in different formats. So whilst it's a different approach, we both strive to provide an easier way to provide a SBOM for PHARs.
I only had a quick look in order to have this feature within Box itself but strikes me about this project (unless I missed something which is well possible) is the lack of a clear API to generate the SBOM:
- When I look at @llaville manifest's builder it is not "simple": https://github.com/llaville/box-manifest/blob/master/src/Composer/Manifest/SbomManifestBuilder.php
- When I look at this project it is not either: https://github.com/CycloneDX/cyclonedx-php-composer/blob/master/src/MakeBom/Builder.php#L344
If I understand correctly, https://github.com/CycloneDX/cyclonedx-php-library is the library providing the API to build an SBOM. What I feel is missing (and what I mean by "clear API to generate the SBOM") is a manifest builder for a given existing Composer manifest. For example a function that takes the content of composer.lock/installed.json (I am not sure which one is more reliable) and generates the content of the SBOM manifest. For example:
SbomManifestFactory::fromComposerLock(string $composerLockContents): string
Then be it Composer itself, a Composer plugin, Box, BoxManifest, it's a lot easier to build around as each can adapt the console API used (Composer API, Symfony Console or other) and from where the composer manifest comes from.
PS: Sorry for kinda hijacking this issue...
PS2: It's really a nitpick, but I find very strange to have CycloneDX:make-sbom as a command name rather than cyclonedx:make-sbom. Maybe it's just me though
re https://github.com/CycloneDX/cyclonedx-php-composer/issues/164#issuecomment-1774675478
- install this composer plugin - this will add a new command to composer
- run
composer CycloneDX:make-sbomand generate your BOM.
please create a new issue or discussion for further conversations