composer (php ecosystem)
Bomly uses this chain when it finds composer evidence.
| Property | Value |
|---|---|
| Package manager | composer |
| Ecosystem | php |
| Detector chain | composer-detector, syft-detector |
| Evidence patterns | composer.lock, installed.json |
| Install-first support | Yes |
| Native command hints | composer, syft for bomly-lite |
How composer resolves
composer-detector is a lockfile parser — it reads composer.lock (preferred) or vendor/composer/installed.json directly and produces a full transitive graph with Packagist coordinates. No subprocess runs.
| Step | Strategy | Command |
|---|---|---|
| Resolve graph | Lockfile parser | None |
Network behavior
✅ Fully offline-safe. Bomly does not invoke PHP, Composer, or any other tool to resolve the graph.
Prerequisites
- A committed
composer.lockfor full transitive resolution. The detector handles Composer 2.x lockfiles. - If only
vendor/composer/installed.jsonis present (no lockfile), the detector reads that file directly. Both produce equivalent graph data. - No PHP or Composer installation is required to scan.
- For
--install-first:composeronPATH.
--install-first
composer supports --install-first. When passed, Bomly runs composer install in the project directory before resolving the graph.
⚠️ --install-first downloads packages from Packagist (or whatever repositories your composer.json declares) and writes to vendor/. Use it on a clean checkout when the lockfile is missing or stale.
bomly scan --install-first
Customizing the install command
Append flags to composer install with repeatable --install-arg. Requires --detectors composer-detector.
# Production-shaped graph: skip dev dependencies, optimize autoloader
bomly scan --install-first --detectors composer-detector \
--install-arg --no-dev --install-arg --optimize-autoloader
Examples
Fix a direct vulnerability
{
"require": {
"symfony/http-foundation": "^7.1.4"
}
}
composer update symfony/http-foundation. Re-scan.
Pin a transitive vulnerability
{
"require": {
"guzzlehttp/guzzle": ">=7.9.0"
}
}
composer update guzzlehttp/guzzle. Re-scan.
Reachability
Not yet supported. Bomly has no PHP reachability analyzer today.
--analyzeproducesnot_applicablefor Composer packages.
Limitations
pear-installed packages are detected by Syft, not bycomposer-detector. PEAR is in maintenance; expect coverage to track Syft's PEAR cataloger.platformrequirements (php,ext-*) are recorded as metadata but not turned into graph edges.- Path repositories (
type: path) are recorded with their resolved version; internal dependencies of the local package come from the local checkout. - VCS repositories with branch refs are tracked by the resolved reference; advisory matching uses the version Composer records.