Skip to main content

PHP

To install CycloneDX in PHP with Composer, you must first make sure you have PHP and Composer installed on your system. Then, follow these steps:

  • Open a terminal or command line.
  • Navigate to the root of your PHP project, where your composer.json file is located.
  • Run the following command to add CycloneDX as a development dependency:
composer require --dev cyclonedx/cyclonedx-php-composer
  • We enable the CycloneDX plugin, for that we have to add to the composer.json the following
    "config": {
"allow-plugins": {
"cyclonedx/cyclonedx-php-composer": true
}
}
  • We can now run the dependency analysis using CycloneXD with the following command
composer CycloneDX:make-sbom --output-file=sbom.json --output-format=json

Integration with Gitlab

Now that we know how to integrate it in php let's add our stage in the CI to be executed in each commit and sent to the dependency management platform Dependecy-track.

.gitlab-ci.yml
sbom_scan:
stage: sbom_scan
image: harbor.opensecdevops.com/osdo/php-ci@sha256:d44a5d14ce250fd5881fbdbceec02a3a43118ceb4d3abcb66861bec160becbbe
dependencies: ['composer']
variables:
COMPOSER_ALLOW_SUPERUSER: 1
cache:
key: ${CI_COMMIT_REF_SLUG}-composer
paths:
- vendor/
script:
- composer CycloneDX:make-sbom --output-file=sbom.json --output-format=json
- sh ../.gitlab-ci/dependency-track.sh
allow_failure: true
artifacts:
expire_in: 1 days
paths:
- sbom.json

Once the sbom file is loaded in the Dependecy-track platform we will see the dependencies and their update status and known vulnerabilities.

List of dependencies