sbominator / sbom-lib
SBOMinator Library
Requires
- php: >=8.2
- ext-gd: *
This package is auto-updated.
Last update: 2025-03-17 10:51:51 UTC
README
What it is
This library can be used as a multi-channel dependency tracker. It can parse the following files:
- Composer Lockfiles
- NPM Lockfiles
- CycloneDX SBOMs
- SPDX SBOMs
How it works
The library uses a parser interface to parse the files. You can then use the parser to get the dependency tree of the file. Dependencies are represented as a tree structure, with each node containing the name of the dependency and its version.
How to use it
Installation
Run composer require sbominator/sbom-lib
to install the library.
With ddev
For easier development across machines, you can use ddev to run the project locally. You can install ddev by following the instructions at https://ddev.readthedocs.io/en/stable/#installation.
After checking out the project, you can run ddev start
to start the project. Use ddev ssh
to get a shell in the running container. You can then run composer install
in the shell to install the dependencies.
Usage
Using the generator
Load up the generator of your choice and generate from a dependency tree.
$generator = new SpdxSBOMGenerator($dependencies); $SBOMstring = $generator->generate();
Using the scanner
Load up the scanner of your choice.
use SBOMinator\Lib\Scanner\FileScanner; /* * You can pass the maximum depth of the subdirectories to scan (default is 10) * and an array of file extensions to scan for. (If you want to work with all available parsers, you can use the default ['json', 'lock']) */ $fileScanner = new FileScanner(10, ['json', 'lock']);
Scan a directory
Use the scanForDependencies() method to scan a directory for files that the scanner supports.
$dependencies = $fileScanner->scanForDependencies(getcwd());
Using the parser
Load up the parser of your choice.
use SBOMinator\Parser\ComposerParser; $parser = new ComposerParser(); // You can omit dev packages if you want by calling withoutDevPackages() on the parser. $parser = (new ComposerParser())->withoutDevPackages();
Parse a file that the parser supports
You can pass a file path to the parser:
$parser->loadFromFile('composer.lock');
You can also pass the contents of a file as string to the parser:
$parser->loadFromString(file_get_contents('composer.lock'));
Retrieve the Dependency Tree
$dependencyTree = $parser->parseDependencies();
Contributing
please see CONTRIBUTING.md for more information.