make SBOM without composer-plugin

[jkowalleck]

current implementation is a composer plugin.
this has some flaws:

• cannot generate the SBOM for lock files outside of the current composerized project.
  can generate SBOM only based in current project.

  this is not an issue at the moment, since this plugin does not utilize any composer-requirements on its own.
  so current switches --exclude-dev or --exclude-plugins can exclude cyclonedx-php-composer at the moment.

  in the future it is planned to change, to incorporate package-url/packageurl-php.
  with this change, the plugin will ship an own dep, which is not excludable via the --exclude-dev switch at the moment.

---

IDEA: ship a "binary" that can generate SBOM based on a lock file, without leverage of composer-plugin

BENEFIT:

• generated SBOM can be built without requirements of cyclonedx-php-composer.

---

THOUGHTS:

• its planned to have a cyclonedx-php-core which holds all needed models, functionality ...
• why not ship a php script as "binary" with it, that can generate SBOM based on any lock file?

[jkowalleck]

possible implementation: build a executable PHAR
that bundles composer, this very composer-plugin and all dependencies.

this way there was a shippable binary that contained all features.

[theofidry]

My two cents here hoping this describe the need clearly. I think you should have a core library which has something along the lines of:

SbomManifestFactory::fromComposerLock(string $composerLockContents): string

This would have several benefits:

• Building an app around it to provide a convenient CLI application, is a lot easier. You could use SymfonyConsole, LaravelConsole or whatever it would like be just a thin wrapper. Creating a PHAR to distribute a binary would then be easy too.
• For tools like Box/BoxManifest or other, this would allow to generate the manifest without requiring to launch a console command.

[jkowalleck]

currently not intended.
This project is about composer projects, and therefore it will not use arbitrary string nor other data formats, it will use composer native data models like RootPackageRepository and
Locker

For tools like Box/BoxManifest or other, this would allow to generate the manifest without requiring to launch a console command.

[jkowalleck]

idea closed.
idea is outdated. all the things discussed were implemented already, the project is able to anayze projects outside of its own context, now.