Tool name: CycloneDX PHP Library

[jkowalleck]

homepage_url

https://github.com/CycloneDX/cyclonedx-php-library#readme-ov-file

contact_email

jan.kowalleck [at] owasp.org

code_view_url

https://github.com/CycloneDX/cyclonedx-php-library

spdx_license_expression

Apache-2.0

description

A PHP software library to work with CycloneDX documents.

Responsibilities

• Provide a general purpose php-implementation of CycloneDX.
• Provide phpDoc3- & psalm-compatible annotations for said implementation,
  so developers and dev-tools can rely on it.
• Provide data models to work with CycloneDX.
• Provide a JSON- and an XML-normalizer, that...
  • supports all shipped data models.
  • respects any injected CycloneDX Specification and generates valid output according to it.
  • can prepare data structures for JSON- and XML-serialization.
• Serialization:
  • Provide a JSON-serializer.
  • Provide an XML-serializer.
• Validation against CycloneDX Specification:
  • Provide a JSON-validator.
  • Provide an XML-validator.
• Provide composer-based autoloading for downstream usage.

Capabilities

• Enums for the following use cases:
  • ComponentType
  • ExternalReferenceType
  • HashAlgorithm
  • LicenseAcknowledgement
• Data models for the following use cases:
  • Bom
  • BomRef, BomRefRepository
  • Component, ComponentRepository, ComponentEvidence
  • ExternalReference, ExternalReferenceRepository
  • HashDictionary
  • LicenseExpression, NamedLicense, SpdxLicense, LicenseRepository
  • Metadata
  • Property, PropertyRepository
  • Tool, ToolRepository
• Utilities for the following use cases:
  • Generate valid random SerialNumbers for Bom.serialNumber
• Factories for the following use cases:
  • Create data models from any license descriptor string
• Implementation of the CycloneDX Specification for the following versions:
  • 1.6
  • 1.5
  • 1.4
  • 1.3
  • 1.2
  • 1.1
• Normalizers that convert data models to JSON structures
• Normalizers that convert data models to XML structures
• Serializer that converts Bom data models to JSON string
• Serializer that converts Bom data models to XML string
• Validator that checks JSON against CycloneDX Specification
• Validator that checks XML against CycloneDX Specification

primary_languages

PHP

short_term_roadmap

all things are community efforts - come and help/contribute

• Work In Progress: harden support for PHP 8.4
• Have known bugs fixed
• Continue supporting the community in contributing new features

long_term_roadmap

all things are community efforts - come and help/contribute

• support upcoming CycloneDX 1.7 - at least the basics, more on demand.
  CDX 1.7 is expected around May/June 2025.
• on demand: continue work towards implementation-completeness regarding CycloneDX
  • goal: eventually support all specified data models
  • driven by the community - contributions welcome!
• support EOL PHP versions for as long as possible, unless a technical reason forces to drop

proprietary_data

• Yes, the tool depends on proprietary data sources

commercial_features

• Yes, the tool has a commercial version with different/additional features

capabilities

• Identifiers - Use Package-URL (PURL) identifiers
• Identifiers - Use SPDX license expressions
• Scanning - Analyze package manifests and lockfiles
• Scanning - Analyze package files
• Scanning - Scan for copyright
• Scanning - Scan for license
• Scanning - Analyze source code
• Scanning - Analyze containers
• Scanning - Analyze installed system packages (linux distros)
• Scanning - Analyze installed application packages
• Scanning - Other analysis
• Packages - Inventory packages
• Packages - Inventory packages dependencies
• Packages - Resolve dependencies
• Packages - Navigate or display dependency graph
• Compliance - Generate CycloneDX SBOMs
• Compliance - Generate SPDX SBOMs
• Compliance - Validate CycloneDX SBOM
• Compliance - Validate SPDX SBOMs
• Compliance - Generate CycloneDX VEX
• Compliance - Generate CSAF VEX
• Compliance - Generate OpenVex
• Compliance - Generate other compliance documents
• Policies - Define and check license policies
• Policies - Define and check security policies
• Policies - Define and check other policies
• Data - Database of Package metadata
• Data - Database of Package dependency relationships
• Data - Database of License obligations
• Data - Database of Licenses
• Data - Database of Vulnerabilities
• License - Help triage license issues
• License - Generate license credit and attribution notices
• License - Generate source code redistribution lists
• Vulnerabilities - Detect vulnerable code in packages
• Vulnerabilities - Find known vulnerabilities for package
• Vulnerabilities - Determine reachable vulnerabilities
• Vulnerabilities - Help triage vulnerabilities
• Binaries - Analyze binaries
• Binaries - Analyze ELF binaries
• Binaries - Analyze Windows binaries
• Binaries - Analyze firmware binaries
• Binaries - Analyze Other binaries
• Matching - Match source code
• Matching - Match binary code
• Tracing - Trace code execution
• Tracing - Trace build
• Code Security - Analyze code statically (SAST/linting)
• Code Security - Analyze code dynamically (DAST)
• Download - Source package
• Download - Source repositories
• Download - Binary package
• Deployment - Deployable as containers (Docker/OCI/k8s/etc)
• Deployment - Deployable in CI/CD pipelines
• Deployment - Deployable as a library
• Run - Run as a command line tool
• Run - Run as a web application
• Run - Run as an API service

other_capabilities

License triage - When incorrect SPDX license identifiers are detected and can be mapped to correct SPDX License identifiers where possible this is identified