CycloneDX SBOM (Software Bill of Materials) parser for PHP 8.3+. Supports CycloneDX 1.4+ specifications including components, vulnerabilities, and metadata with full immutable entity design using Valinor for type mapping.
Note
Why this package?
The CycloneDX ecosystem provides an official PHP library
(cyclonedx/cyclonedx-library)
and a Composer plugin for
generating SBOMs. These tools are designed to produce BOMs as part of your build
pipeline — not for consuming them in application code.
This package aims to fill a different gap: Reading and inspecting existing SBOM files.
If your application needs to parse a CycloneDX SBOM and work with its data — querying components, checking vulnerabilities, reading metadata — you need a lightweight, read-only library with clean, type-safe objects. That is what this package aims to provide.
use mteu\SbomParser\Parser\CycloneDxParser;
$parser = new CycloneDxParser();
$bom = $parser->parseFromFile('/path/to/sbom.json');
// Access components and vulnerabilities
$components = $bom->getAllComponents();
$vulnerabilities = $bom->vulnerabilities;See detailed documentation for complete usage examples and API reference.
Contributions are very welcome! Please have a look at the Contribution Guide. It lays out the workflow of submitting new features or bugfixes.
Please refer to our security policy if you discover a security vulnerability in this extension. Be warned, though. I cannot afford bounty. This is private project.
This extension is licensed under the GPL-3.0-or-later license.
For issues and feature requests, please use the GitHub issue tracker.