gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-18 18:22:40 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
56b59e8abbb891564bf03608b8150bceaeb60ded
trivy/docs/guide/coverage/language/php.md

36 lines
2.0 KiB
Markdown
Raw Blame History

# PHP
Trivy supports [Composer][composer], which is a tool for dependency management in PHP.
The following scanners are supported.
| Package manager | SBOM | Vulnerability | License |
|-----------------|:----:|:-------------:|:-------:|
| Composer | ✓ | ✓ | ✓ |
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position |
|-----------------|----------------|:-----------------------:|:----------------------------------:|:------------------------------------:|:--------:|
| Composer | composer.lock | ✓ | [Excluded](#development-dependencies) | ✓ | ✓ |
| Composer | installed.json | ✓ | Excluded | - | ✓ |
## composer.lock
In order to detect dependencies, Trivy searches for `composer.lock`.
Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
Since this information is not included in `composer.lock`, Trivy parses `composer.json`, which should be located next to `composer.lock`.
If you want to see the dependency tree, please ensure that `composer.json` is present.
### Development dependencies
By default, Trivy doesn't report development dependencies (`packages-dev` in `composer.lock`).
Use the `--include-dev-deps` flag to include them.
To correctly identify direct development dependencies, Trivy parses `require-dev` from `composer.json`, which should be located next to `composer.lock`.
## installed.json
Trivy also supports dependency detection for `installed.json` files. By default, you can find this file at `path_to_app/vendor/composer/installed.json`.
[composer]: https://getcomposer.org/
[dependency-graph]: ../../configuration/reporting.md#show-origins-of-vulnerable-dependencies
Reference in New Issue View Git Blame Copy Permalink