have a `.phar` released

[jkowalleck]

Is your feature request related to a problem? Please describe.

on CI, i always need to have a php composer available in order to create an SBOM of a composer.lock

Describe the solution you'd like

have a bundled .phar added to every release, that includes composer & the CDX composer plugin

Additional context

acc / crit

• phar includes a version of php composer & CDX plugin
• phar bundles pinned versions of all dependencies
  • lock file in the repo
  • add SBOM to PHAR for to know what is in it
• building PHAR is automated part of very release
• CI tests to build PHAR and execute integration/demos on every CT run
• IDEA: https://github.com/humbug/php-scoper is part of build process

[jkowalleck]

maybe utilize https://github.com/box-project/box ?

[llaville]

maybe utilize https://github.com/box-project/box ?

Or just https://github.com/llaville/box-manifest === box + manifests (feature missing in standard box project)

Latest version 3.3.x include CycloneDX XML and JSON versions all specifications (1.1 until 1.4 are supported)

[llaville]

FYI: I worked on a prototype of GiHub Action for BOX Manifest (see llaville/box-manifest#8).

I'll allow to build either :

• a standard box project (PHAR distrib)
• a standard box project with any manifests and custom stub (to support display phar manifests at runtime)

[jkowalleck]

@llaville you realize that this product is already an SBOM generator?

I do not see a point in using anything else than cyclonedx-php-composer to generate the SBOM of cyclonedx-php-composer.

[llaville]

@jkowalleck As you don't understand, i won't anoying you anymore !

[theofidry]

If having a Composer PHAR with the plugin then you probably would need to actually replicate the Composer build process. I didn't try in a long time I think doing box compile on the Composer project won't work as there is a few preparatory steps.

To expend a bit on https://github.com/llaville/box-manifest, when @llaville built is a tiny application that is shipped with the built PHAR that can export a manifest, SBOM or other. This is a separate project as I personally preferred to have a less invasive way and rather opt for having one idiomatic manifest shipped in the PHAR, and then Box could show/export that manifest in different formats. So whilst it's a different approach, we both strive to provide an easier way to provide a SBOM for PHARs.

I only had a quick look in order to have this feature within Box itself but strikes me about this project (unless I missed something which is well possible) is the lack of a clear API to generate the SBOM:

• When I look at @llaville manifest's builder it is not "simple": https://github.com/llaville/box-manifest/blob/master/src/Composer/Manifest/SbomManifestBuilder.php
• When I look at this project it is not either: https://github.com/CycloneDX/cyclonedx-php-composer/blob/master/src/MakeBom/Builder.php#L344

If I understand correctly, https://github.com/CycloneDX/cyclonedx-php-library is the library providing the API to build an SBOM. What I feel is missing (and what I mean by "clear API to generate the SBOM") is a manifest builder for a given existing Composer manifest. For example a function that takes the content of composer.lock/installed.json (I am not sure which one is more reliable) and generates the content of the SBOM manifest. For example:

SbomManifestFactory::fromComposerLock(string $composerLockContents): string

Then be it Composer itself, a Composer plugin, Box, BoxManifest, it's a lot easier to build around as each can adapt the console API used (Composer API, Symfony Console or other) and from where the composer manifest comes from.

PS: Sorry for kinda hijacking this issue...
PS2: It's really a nitpick, but I find very strange to have CycloneDX:make-sbom as a command name rather than cyclonedx:make-sbom. Maybe it's just me though

[jkowalleck]

re #164 (comment)

1. install this composer plugin - this will add a new command to composer
2. run composer CycloneDX:make-sbom and generate your BOM.

please create a new issue or discussion for further conversations