PHP

To install CycloneDX in PHP with Composer, you must first make sure you have PHP and Composer installed on your system. Then, follow these steps:

Open a terminal or command line.
Navigate to the root of your PHP project, where your composer.json file is located.
Run the following command to add CycloneDX as a development dependency:

composer require --dev cyclonedx/cyclonedx-php-composer

We enable the CycloneDX plugin, for that we have to add to the composer.json the following

    "config": {
        "allow-plugins": {
            "cyclonedx/cyclonedx-php-composer": true
        }
    }

We can now run the dependency analysis using CycloneXD with the following command

composer CycloneDX:make-sbom --output-file=sbom.json --output-format=json

Integration with Gitlab

Now that we know how to integrate it in php let's add our stage in the CI to be executed in each commit and sent to the dependency management platform Dependecy-track.

.gitlab-ci.yml
sbom_scan:
  stage: sbom_scan
  image: harbor.opensecdevops.com/osdo/php-ci@sha256:d44a5d14ce250fd5881fbdbceec02a3a43118ceb4d3abcb66861bec160becbbe
  dependencies: ['composer']
  variables:
    COMPOSER_ALLOW_SUPERUSER: 1
  cache:
    key: ${CI_COMMIT_REF_SLUG}-composer
    paths:
      - vendor/
  script:
    - composer CycloneDX:make-sbom --output-file=sbom.json --output-format=json
    - sh ../.gitlab-ci/dependency-track.sh 
  allow_failure: true
  artifacts:
    expire_in: 1 days
    paths:
      - sbom.json

Once the sbom file is loaded in the Dependecy-track platform we will see the dependencies and their update status and known vulnerabilities.

List of dependencies

PHP

Integration with Gitlab​

Integration with Gitlab