Composer Audit Converter

Note

Available since version 1.2.0

Table Of Contents

1. Requirements
2. Installation
3. Usage
4. Learn more
5. IDE Integration
6. Web SARIF viewer

Requirements

• Composer requires PHP version 7.2.5 or greater,
• This SARIF converter requires at least Composer version 2.4.0

Installation

composer require --dev bartlett/sarif-php-converters

Usage

Warning

As Composer is not able to load custom output format on fly without to modify the Composer\Advisory\Auditor class, we have no other alternative that using the Console Tool convert command.

Build the native json output report

vendor/bin/composer audit --format=json > examples/composer/audit.json

And finally, convert it to SARIF with the Console Tool

php report-converter convert composer --input-format=json --input-file=examples/composer/audit.json -v

Tip

• Without verbose option (-v) the Console Tool will print a compact SARIF version.
• --output-file option allows to write a copy of the report to a file. By default, the Console Tool will always print the specified report to the standard output.

Learn more

• See demo examples/composer/ directory into this repository.

IDE Integration

The SARIF report file [*].sarif.json is automagically recognized and interpreted by PhpStorm (2024).

Web SARIF viewer

With the React based component, you are able to explore a sarif report file previously generated.

For example: