Creates CycloneDX Software Bill-of-Materials (SBOM) from PHP Composer projects

Fund package maintenance!

Installs: 764 004

Dependents: 10

Suggesters: 0

Security: 0

Stars: 46

Watchers: 5

Forks: 7

Open Issues: 13



CycloneDX PHP Composer Plugin

shield_packagist-version shield_gh-workflow-test shield_coverage shield_ossf-best-practices shield_license
shield_website shield_slack shield_groups shield_twitter-follow

A plugin for PHP's Composer that generates Software Bill of Materials (SBOM) in CycloneDX format.

Based on OWASP Software Component Verification Standard for Software Bill of Materials's criteria, this tool is capable of producing SBOM documents almost passing Level-2 (only signing needs to be done externally).

The resulting SBOM documents follow official specifications and standards, and might have properties following cdx:composer Namespace Taxonomy .


  • PHP ^8.1
  • Composer ^2.3

However, there are older versions of this plugin available, which support PHP ^5.5||^7.0||^8.0 with Composer ^1.0||^2.0 .


As a global Composer plugin:

composer global require cyclonedx/cyclonedx-php-composer

As a development dependency of the current project:

composer require --dev cyclonedx/cyclonedx-php-composer


After successful installation, the Composer command CycloneDX:make-sbom is available.

$ composer CycloneDX:make-sbom --help

  Generate a CycloneDX Bill of Materials from a PHP Composer project.

  CycloneDX:make-sbom [options] [--] [<composer-file>]

  composer-file                                       Path to Composer config file.
                                                      [default: "composer.json" file in current working directory]

      --output-format=OUTPUT-FORMAT                   Which output format to use.
                                                      {choices: "JSON", "XML"}
                                                      [default: "XML"]
      --output-file=OUTPUT-FILE                       Path to the output file.
                                                      Set to "-" to write to STDOUT
                                                      [default: "-"]
      --omit=OMIT                                     Omit dependency types.
                                                      {choices: "dev", "plugin"}
                                                      (multiple values allowed)
      --spec-version=SPEC-VERSION                     Which version of CycloneDX spec to use.
                                                      {choices: "1.1", "1.2", "1.3", "1.4", "1.5", "1.6"}
                                                      [default: "1.5"]
      --output-reproducible|--no-output-reproducible  Whether to go the extra mile and make the output reproducible.
                                                      This might result in loss of time- and random-based-values.
      --validate|--no-validate                        Formal validate the resulting BOM.
      --mc-version=MC-VERSION                         Version of the main component.
                                                      This will override auto-detection.
  -h, --help                                          Display help for the given command.
  -q, --quiet                                         Do not output any message
  -v|vv|vvv, --verbose                                Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug


For a demo of cyclonedx-php-composer see the demo projects.

How it works

This tool utilizes composer itself, to collect evidence for installed composer packages.
In terms of evidence collection, actually installed setups are preferred over pure lock file analysis.
Required evidence:

  • composer config/manifest file (e.g. composer.json file)
  • any of:
    • an actual composer setup (the result after running composer install [...] on your project)
    • a working composer lock file (e.g. composer.lock file)


This tool utilizes the CycloneDX PHP library to generate the actual data structures, normalize/serializ them and validate the SBOM result.

This tool does not expose any additional public API or classes - all code is marked as @internal and might change without any notice during version upgrades.


Feel free to open issues, bugreports or pull requests.
See the CONTRIBUTING file for details.


Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.