Creates CycloneDX Software Bill-of-Materials (SBOM) from PHP Composer projects

Installs: 296 453

Dependents: 7

Suggesters: 0

Security: 0

Stars: 24

Watchers: 5

Forks: 7

Open Issues: 14



shield_gh-workflow-test shield_packagist-version shield_license
shield_website shield_slack shield_groups shield_twitter-follow

CycloneDX PHP Composer Plugin

A plugin for PHP's Composer that generates Software Bill of Materials (SBoM) in CycloneDX format.


The latest version of this plugin supports PHP ^7.3||^8.0 with Composer ^2.0 .

There are older versions of this plugin available, which support PHP ^5.5||^7.0||^8.0 with Composer ^1.0||^2.0 .


As a global composer plugin:

composer global require cyclonedx/cyclonedx-php-composer

As a development dependency of the current project:

composer require --dev cyclonedx/cyclonedx-php-composer


After successful installation, the composer command make-bom is available.

$ composer make-bom -h
  make-bom [options] [--] [<composer-file>]

  composer-file                      Path to composer config file.
                                     Defaults to "composer.json" file in working directory.

      --output-format=OUTPUT-FORMAT  Which output format to use.
                                     Values: "XML", "JSON" [default: "XML"]
      --output-file=OUTPUT-FILE      Path to the output file.
                                     Set to "-" to write to STDOUT.
                                     Depending on the output-format, default is one of: "bom.xml", "bom.json"
      --exclude-dev                  Exclude dev dependencies
      --exclude-plugins              Exclude composer plugins
      --spec-version=SPEC-VERSION    Which version of CycloneDX spec to use.
                                     Values: "1.1", "1.2", "1.3" [default: "1.3"]
      --no-validate                  Don't validate the resulting output
      --mc-version=MC-VERSION        Version of the main component.
                                     This will override auto-detection.
      --no-version-normalization     Don't normalize component version strings.
                                     Per default this plugin will normalize version strings by stripping leading "v".
                                     This is a compatibility-switch. The next major-version of this plugin will not modify component versions.
  -h, --help                         Display this help message
  -q, --quiet                        Do not output any message
  -V, --version                      Display this application version
      --ansi                         Force ANSI output
      --no-ansi                      Disable ANSI output
  -n, --no-interaction               Do not ask any interactive question
      --profile                      Display timing and memory usage information
      --no-plugins                   Whether to disable plugins.
  -d, --working-dir=WORKING-DIR      If specified, use the given directory as working directory.
      --no-cache                     Prevent use of the cache
  -v|vv|vvv, --verbose               Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

  Generate a CycloneDX Bill of Materials


For a demo of cyclonedx-php-composer see the demo project.


This Composer-Plugin utilizes the CycloneDX library to generate the actual data structures.

This Composer-Plugin does not expose any additional public api or classes - all code is marked as @internal and might change without any notice during version upgrades.


Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.


Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.