PHP
Analyze PHP projects with FOSSA via Composer, through Quick Import or the FOSSA CLI.
Overview
FOSSA supports PHP projects through Composer. You can analyze a project two ways: Quick Import in the web app, or the FOSSA CLI (recommended).
Tool support
| Tool | Quick Import (app.fossa.com) | CLI (fossa-cli) |
|---|---|---|
| Composer | composer.json | composer.lock |
How Quick Import works
When a Composer project is imported through the web app, FOSSA reads composer.json to resolve dependencies. If an exact version is not given (i.e. a version range), FOSSA resolves a dependency to the highest version satisfying the constraint, compliant with the Composer versioning spec.
Warning
Repository Scanning of Composer projects currently has the following limitations:
- We do not elect versions based on the
composer.lockfile. - We currently ignore stability tags (
@dev,@stable, etc.). - We ignore php and php extensions when inside the
requirekey ofcomposer.json. - We only look at
requirefor dependencies. Dev dependencies are ignored (require-dev,repositories, andreplaceare ignored). - Non-standard version constraints (i.e.
dev-, or.x-dev) currently have stability issues.
Analyzing with the CLI
The FOSSA CLI is the recommended way to analyze PHP projects. It reads the composer.lock file, so it resolves direct and transitive dependencies and classifies dev dependencies; capabilities that Quick Import does not provide.
Install the latest release of fossa-cli:
curl -H 'Cache-Control: no-cache' https://raw.githubusercontent.com/fossas/fossa-cli/master/install-latest.sh | bashThen run fossa analyze from your repository's root directory to analyze your Composer project. See the Composer strategy reference for detection and analysis details.
Analysis strategies
| Strategy | Direct Deps | Transitive Deps | Edges | Classifies Dev Dependencies | Container Scanning |
|---|---|---|---|---|---|
| composer.lock | ✅ | ✅ | ✅ | ✅ | ✅ |
Package data
FOSSA supports any package available on packagist.org.
All code within a package is audited for license information. If a license file is declared by the license field in composer.json, it is elected as a "Declared License" or "Primary License" in the FOSSA UI.