FOSSA supports PHP projects through Composer.
When PHP code is imported, FOSSA will find and parse the contents of
composer.json files for dependency data and intelligently resolve any references.
If an exact version is not given (i.e. a version range), FOSSA will resolve a dependency to the highest version satisfying the constraint compliant to the Composer versioning spec.
Feature in Beta
Repository Scanning for Composer projects are currently in Beta. For now we recommend that you use CI/CD Scanning.
Currently, Repository Scanning of Composer projects have the following limitations:
- We do not elect versions based on the
- We currently ignore stability tags (
@dev, @stable, etc.).
- We ignore php and php extensions when inside the
- We only look at
requirefor dependencies. Dev dependencies will be ignored (
replacewill be ignored).
- Non-standard version constraints (i.e.
.x-dev) currently have stability issues.
The full behavior of Composer builds (including lockfiles and more) are fully supported via
fossa-cli, our open-sourced dependency analysis client.
To get started, install the latest release of
fossa-cli from our GitHub releases page:
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install.sh | bash
Once installed, run
fossa inside of your repo's root directory to analyze your Compose project.
fossa-cli supports Composer projects by directly inspecting the
vendor/ directory for installed components. Therefore, you can supply any arbitrary build command, or use the default one provided by
fossa-cli which runs
composer install --prefer-dist --no-dev.
FOSSA supports any package available on https://packagist.org/.
All code within a package is audited for license information. If a license file is declared by the
license field in
composer.json, it will be elected as a "Declared License" or "Primary License" in the FOSSA UI.
Updated about a year ago