sbom4php 0.1.0

SBOM generator for PHP applications

SBOM4JS

The SBOM4PHP is a free, open source tool to generate a SBOM (Software Bill of Materials) for a PHP application in a number of formats including SPDX and CycloneDX.

It is intended to be used as part of a continuous integration system to enable accurate records of SBOMs to be maintained and also to support subsequent audit needs to determine if a particular component (and version) has been used.

Installation

To install use the following command:

pip install sbom4php

Alternatively, just clone the repo and install dependencies using the following command:

pip install -U -r requirements.txt

The tool requires Python 3 (3.9+). It is recommended to use a virtual python environment especially if you are using different versions of python. virtualenv is a tool for setting up virtual python environments which allows you to have all the dependencies for the tool set up in a single environment, or have different environments set up for testing using different versions of Python.

Usage

usage: sbom4php [-h] [-d DEPENDENCY] [--application APPLICATION] [--release RELEASE] [--debug] [--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-V]

SBOM4PHP generates a Software Bill of Materials for a PHP application identifying all of the dependent components.

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit

Input:
  -d DEPENDENCY, --dependency DEPENDENCY
                        PHP dependency file
  --application APPLICATION
                        application name
  --release RELEASE     application release

Output:
  --debug               add debug information
  --sbom {spdx,cyclonedx}
                        specify type of sbom to generate (default: spdx)
  --format {tag,json,yaml}
                        format for SPDX software bill of materials (sbom) (default: tag)
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        output filename (default: output to stdout)

Operation

The --dependency option is used to identify the of the composer.lock dependency file.

The --application and --release options are used to specify the name and release of the application defined by the dependency file. These options must be specified.

The --sbom option is used to specify the format of the generated SBOM (the default is SPDX). The --format option can be used to specify the formatting of the SBOM (the default is Tag Value format for a SPDX SBOM). JSON format is supported for both SPDX and CycloneDX SBOMs).

The --output-file option is used to control the destination of the output generated by the tool. The default is to report to the console but can be stored in a file (specified using --output-file option).

The --debug option is used to generation debug information to the console.

Licence

Licenced under the Apache 2.0 Licence.

The tool uses a local copy of the SPDX Licenses List which is released under Creative Commons Attribution 3.0 (CC-BY-3.0).

Limitations

This tool is meant to support software development and security audit functions. However, the usefulness of the tool is dependent on the SBOM data which is provided to the tool. Unfortunately, the tool is unable to determine the validity or completeness of such a SBOM file; users of the tool are therefore reminded that they should assert the quality of any data which is provided to the tool.

When processing and validating licenses, the application will use a set of synonyms to attempt to map some license identifiers to the correct SPDX License Identifiers. However, the user of the tool is reminded that they should assert the quality of any data which is provided by the tool particularly where the license identifier has been modified.

Whilst PURL and CPE references are automatically generated for each Javascript component, the accuracy of such references cannot be guaranteed as they are dependent on the validity of the data associated with the Javascript component.

Network access is required to populate some package metadata. If this is not available, a limited amount of package metadata will be included.

Feedback and Contributions

Bugs and feature requests can be made via GitHub Issues.