Skip to main content

PHP Application Analysis

Evaluation: Source code and manifest analysis

PHP scanning supports coordinate-based matching of PHP dependencies found in the composer.lock file for packages coming from the Packagist ecosystem.

For the best results, we recommend generating and committing the composer.lock file in your version control system before scanning.

What is supported

  • Files named composer.lock (a JSON file generated by PHP composer) will be analyzed.

  • Drupal core and its components when installed using Composer.

What do we parse from the file?

Only top-level dependencies (specified under the "packages" group) are evaluated, for example:

{
  "packages": [
    {
      "name": "bower-asset/bootstrap",
      "version": "v3.2.0"
    }
  ]
}

Steps to analyze using the Sonatype IQ CLI

Invoke a Sonatype IQ CLI scan of a directory or subdirectories containing a composer.lock file.

Example composer.lock file (file is edited for clarity)

{
  "hash": "8ca6b6b80bab36b5287b4292abee988f",
  "packages": [
    {
      "name": "bower-asset/bootstrap",
      "version": "v3.2.0",
      "source": {
        "type": "git",
        "url": "https://github.com/twbs/bootstrap.git",
        "reference": "c068162161154a4b85110ea1e7dd3d7897ce2b72"
      }
    },
        {
      "name": "bower-asset/jquery",
      "version": "2.1.1",
      "source": {
        "type": "git",
        "url": "https://github.com/jquery/jquery.git",
        "reference": "4dec426aa2a6cbabb1b064319ba7c272d594a688"
      }
    },
    {
      "name": "components/jqueryui",
      "version": "1.11.4"
    }
  ]
}