scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Support Composer (PHP) Package Manager

Open maennchen opened this issue 1 year ago • 1 comments

Is your feature request related to a problem? Please describe.

Scorecard currently does not recognize the package manager composer (PHP).

Describe the solution you'd like

Scorecard should recognize that composer is used.

How are packages published with composer?

The default & public package registry is called Packagist.

The packages are pulled by the registry and not pushed like with most other registries.

Steps:

  • Create a composer.json file with "type": "library"
  • Configure packagist to pull Git Repository
  • Optional: Create a Webhook so that new versions are recognized quickly

Detection

To detect if a project is publishing using composer, the following rules should work:

  • Check if there's a file called composer.json
  • Check if composer.json#.type is not set to project - https://getcomposer.org/doc/04-schema.md#type
  • Call https://repo.packagist.org/p2/[composer.json#.name].json to see if the package is published - https://packagist.org/apidoc#get-package-data
  • Check if response#.packages.[composer.json#.name][*].source.url is equal to the git repository which is being scored

The latter two checks are a bit more involved. But depending on how accurate this checks need to be, they could also be skipped.

Describe alternatives you've considered

None.

Additional context

  • Example Project: https://github.com/maennchen/ZipStream-PHP
  • Example published package: https://packagist.org/packages/maennchen/zipstream-php

maennchen avatar Oct 10 '24 13:10 maennchen

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Dec 12 '24 02:12 github-actions[bot]