SBOM Manager

Appearance

Composer Package Scanner

The Composer package scanner automatically detects and extracts all third-party dependencies declared in your PHP projects that use Composer as their package manager.

What It Does

Default file: composer.json

When you enable the Composer scanner during SBOM creation, CAST SBOM Manager will:

  • Find all Composer manifest files (composer.json and composer.lock) throughout your codebase
  • Extract declared dependencies from both production and development sections
  • Parse version constraints to identify exact pinned versions
  • Process lock files to capture exact resolved versions
  • Filter platform packages excluding PHP itself and PHP extensions

composer.json vs. composer.lock

The Composer scanner processes two types of files, each serving a different purpose:

  • composer.json - Declares dependencies with flexible version constraints (e.g., ^2.0)
  • composer.lock - Contains exact resolved versions (e.g., 2.31.5)

If both are present, composer.lock provides more precise version information for your SBOM. The scanner processes both files independently, so you'll see entries from both if they exist in your project.

What Gets Detected

The Composer scanner identifies dependencies from two types of files:

Manifest File (composer.json)

From composer.json files, the scanner extracts:

  • Production dependencies from the require section
  • Development dependencies from the require-dev section
  • Package names and their version constraints
  • Exact versions when specified with precise version numbers

Version handling:

  • Equality constraints with exact versions (e.g., "2.31.0" or "=2.31.0") are captured as pinned versions
  • Version ranges and operators (e.g., "^2.0", "~1.5", ">=1.0 <2.0") are recognized but no specific version is pinned
  • Dependencies with version constraints are still recorded, allowing you to see which packages are declared even when their exact version will be resolved by Composer

Excluded packages:

  • php - The PHP language itself is not a package dependency
  • Packages starting with ext- - PHP extensions (e.g., ext-json, ext-mbstring)
  • Packages starting with lib- - System libraries (e.g., lib-curl)

Lock File (composer.lock)

From composer.lock files, the scanner extracts:

  • All resolved packages with their exact installed versions
  • Both production packages (from the packages array)
  • Development packages (from the packages-dev array)
  • Precise version numbers as resolved by Composer during installation

The lock file provides a complete snapshot of every package installed in your project's vendor directory, ensuring reproducible installations across environments.

How It Works

composer.json Processing

When scanning a composer.json file, the scanner:

  1. Parses the JSON structure
  2. Processes the require section for production dependencies
  3. Processes the require-dev section for development dependencies (both types are included in the SBOM)
  4. For each dependency:
    • Extracts the package name (in vendor/name format)
    • Parses the version constraint using Composer-style version parsing
    • If the constraint represents an exact equality (e.g., "2.31.0" or "=2.31.0"), stores it as the pinned version
    • If the constraint is a range or uses operators like ^ or ~, records the dependency without a specific version
  5. Skips platform packages (php, ext-, lib-)

composer.lock Processing

When scanning a composer.lock file, the scanner:

  1. Parses the JSON structure
  2. Processes the packages array (production dependencies)
  3. Processes the packages-dev array (development dependencies)
  4. For each package entry:
    • Extracts the package name from the name field
    • Extracts the exact version from the version field (lock files always contain concrete versions)
    • Parses and validates the version using Composer-style version parsing
    • Creates a dependency entry with the package name and pinned version

Version Constraint Parsing

The scanner recognizes Composer's version constraint syntax and extracts exact versions when specified. When a version constraint represents an equality (a single exact version), it is captured as a pinned version in the SBOM. All other constraints (ranges, operators, compound expressions) result in the package being recorded without a pinned version.

What It Doesn't Detect

The Composer scanner focuses on Composer-managed packages. It does not detect:

  • Platform requirements - PHP itself, PHP extensions (ext-), or system libraries (lib-)
  • Manually included PHP libraries - Code copied directly into your project without Composer
  • WordPress plugins/themes - Unless installed via Composer
  • Legacy PEAR packages - Old PHP package format not managed by Composer
  • Embedded or copy-pasted code from open source projects

For complete open source detection including undeclared components and copied code, enable the OSS Knowledge Base scanning option in the Scanners step, which analyzes actual file content to identify all open source usage.

Copyright © 2025 CAST SOFTWARE.