Initial checkin of ComposerLockAnalyzer

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java

@@ -0,0 +1,161 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.composer.ComposerDependency;
+import org.owasp.dependencycheck.data.composer.ComposerException;
+import org.owasp.dependencycheck.data.composer.ComposerLockParser;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Checksum;
+import org.owasp.dependencycheck.utils.FileFilterBuilder;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.FileFilter;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.nio.charset.Charset;
+import java.security.MessageDigest;
+
+/**
+ * Used to analyze a composer.lock file for a composer PHP app.
+ *
+ * @author colezlaw
+ */
+public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
+    /**
+     * The logger
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockAnalyzer.class);
+
+    /**
+     * The analyzer name
+     */
+    private static final String ANALYZER_NAME = "Composer.lock analyzer";
+
+    /**
+     * composer.json
+     */
+    private static final String COMPOSER_LOCK = "composer.lock";
+
+    /**
+     * The FileFilter
+     */
+    private static final FileFilter FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(COMPOSER_LOCK).build();
+
+    /**
+     * Returns the FileFilter
+     *
+     * @return the FileFilter
+     */
+    @Override
+    protected FileFilter getFileFilter() {
+        return FILE_FILTER;
+    }
+
+    /**
+     * Initializes the analyzer
+     *
+     * @throws Exception
+     */
+    @Override
+    protected void initializeFileTypeAnalyzer() throws Exception {
+        sha1 = MessageDigest.getInstance("SHA1");
+    }
+
+    /**
+     * The MessageDigest for calculating a new digest for the new dependencies added
+     */
+    private MessageDigest sha1 = null;
+
+    /**
+     * Entry point for the analyzer.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException if there's a failure during analysis
+     */
+    @Override
+    protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        FileInputStream fis = null;
+        try {
+            fis = new FileInputStream(dependency.getActualFile());
+            final ComposerLockParser clp = new ComposerLockParser(fis);
+            LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath());
+            clp.process();
+            for (ComposerDependency dep : clp.getDependencies()) {
+                final Dependency d = new Dependency(dependency.getActualFile());
+                d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject()));
+                final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject());
+                d.setFilePath(filePath);
+                d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset()))));
+                d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
+                d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
+                d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
+                LOGGER.info("Adding dependency {}", d);
+                engine.getDependencies().add(d);
+            }
+        } catch (FileNotFoundException fnfe) {
+            LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath());
+        } catch (ComposerException ce) {
+            LOGGER.warn("Error parsing composer.json {}", dependency.getActualFilePath(), ce);
+        } finally {
+            if (fis != null) {
+                try {
+                    fis.close();
+                } catch (Exception e) {
+                    LOGGER.debug("Unable to close file", e);
+                }
+            }
+        }
+    }
+
+    /**
+     * Gets the key to determine whether the analyzer is enabled.
+     *
+     * @return the key specifying whether the analyzer is enabled
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED;
+    }
+
+    /**
+     * Returns the analyzer's name.
+     *
+     * @return the analyzer's name
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase this analyzer should run under.
+     *
+     * @return the analysis phase
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return AnalysisPhase.INFORMATION_COLLECTION;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -104,6 +104,21 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
                 "spring-security-core",
                 Confidence.HIGH);
 
+        final Evidence symfony = new Evidence("composer.lock",
+            "vendor",
+            "symfony",
+            Confidence.HIGHEST);
+
+        final Evidence zendframeworkVendor = new Evidence("composer.lock",
+            "vendor",
+            "zendframework",
+            Confidence.HIGHEST);
+
+        final Evidence zendframeworkProduct = new Evidence("composer.lock",
+            "product",
+            "zendframework",
+            Confidence.HIGHEST);
+
         //springsource/vware problem
         final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
         final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
@@ -128,6 +143,18 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
         }
 
+        if (vendor.contains(symfony)) {
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "sensiolabs", Confidence.HIGHEST);
+        }
+
+        if (vendor.contains(zendframeworkVendor)) {
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "zend", Confidence.HIGHEST);
+        }
+
+        if (product.contains(zendframeworkProduct)) {
+            dependency.getProductEvidence().addEvidence("hint analyzer", "vendor", "zend_framework", Confidence.HIGHEST);
+        }
+
         //sun/oracle problem
         final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
         final List<Evidence> newEntries = new ArrayList<Evidence>();

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerDependency.java

@@ -0,0 +1,103 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.composer;
+
+/**
+ * Reperesents a dependency (GAV, right now) from a Composer dependency.
+ *
+ * @author colezlaw
+ */
+public final class ComposerDependency {
+    /** The group */
+    private final String group;
+
+    /** The project */
+    private final String project;
+
+    /** The version */
+    private final String version;
+
+    /**
+     * Create a ComposerDependency from group, project, and version.
+     *
+     * @param group the group
+     * @param project the project
+     * @param version the version
+     */
+    public ComposerDependency(String group, String project, String version) {
+        this.group = group;
+        this.project = project;
+        this.version = version;
+    }
+
+    /**
+     * Get the group.
+     *
+     * @return the group
+     */
+    public String getGroup() {
+        return group;
+    }
+
+    /**
+     * Get the project.
+     *
+     * @return the project
+     */
+    public String getProject() {
+        return project;
+    }
+
+    /**
+     * Get the version.
+     *
+     * @return the version
+     */
+    public String getVersion() {
+        return version;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (!(o instanceof ComposerDependency)) {
+            return false;
+        }
+
+        final ComposerDependency that = (ComposerDependency) o;
+
+        if (group != null ? !group.equals(that.group) : that.group != null) {
+            return false;
+        }
+        if (project != null ? !project.equals(that.project) : that.project != null) {
+            return false;
+        }
+        return !(version != null ? !version.equals(that.version) : that.version != null);
+
+    }
+
+    @Override
+    public int hashCode() {
+        int result = group != null ? group.hashCode() : 0;
+        result = 31 * result + (project != null ? project.hashCode() : 0);
+        result = 31 * result + (version != null ? version.hashCode() : 0);
+        return result;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerException.java

@@ -0,0 +1,52 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.composer;
+
+/**
+ * Represents an exception when handling a composer.json or composer.lock
+ * file. Generally used to wrap a downstream exception.
+ *
+ * @author colezlaw
+ */
+public class ComposerException extends RuntimeException {
+    /**
+     * Creates a ComposerException with default message.
+     */
+    public ComposerException() {
+        super();
+    }
+
+    /**
+     * Creates a ComposerException with the specified message.
+     *
+     * @param message the exception message
+     */
+    public ComposerException(String message) {
+        super(message);
+    }
+
+    /**
+     * Creates a Composer exception with the specified message and cause.
+     *
+     * @param message the message
+     * @param cause the underlying cause
+     */
+    public ComposerException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerLockParser.java

@@ -0,0 +1,115 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.composer;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.json.Json;
+import javax.json.JsonArray;
+import javax.json.JsonException;
+import javax.json.JsonObject;
+import javax.json.JsonReader;
+import javax.json.stream.JsonParsingException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Parses a Composer.lock file from an input stream. In a separate class so it can hopefully be injected.
+ *
+ * @author colezlaw
+ */
+public class ComposerLockParser {
+    /** The JsonReader for parsing JSON */
+    private final JsonReader jsonReader;
+
+    /** The input stream we'll read */
+    private final InputStream inputStream; // NOPMD - it gets set in the constructor, read later
+
+    /** The List of ComposerDependencies found */
+    private final List<ComposerDependency> composerDependencies;
+
+    /** The LOGGER */
+    private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockParser.class);
+
+    /**
+     * Createas a ComposerLockParser from a JsonReader and an InputStream.
+     *
+     * @param inputStream the InputStream to parse
+     */
+    public ComposerLockParser(InputStream inputStream) {
+        LOGGER.info("Creating a ComposerLockParser");
+        this.inputStream = inputStream;
+        this.jsonReader = Json.createReader(inputStream);
+        this.composerDependencies = new ArrayList<ComposerDependency>();
+    }
+
+    /**
+     * Process the input stream to create the list of dependencies.
+     */
+    public void process() {
+        LOGGER.info("Beginning Composer lock processing");
+        try {
+            final JsonObject composer = jsonReader.readObject();
+            if (composer.containsKey("packages")) {
+                LOGGER.debug("Found packages");
+                final JsonArray packages = composer.getJsonArray("packages");
+                for (JsonObject pkg : packages.getValuesAs(JsonObject.class)) {
+                    if (pkg.containsKey("name")) {
+                        final String groupName = pkg.getString("name");
+                        if (groupName.indexOf('/') >= 0 && groupName.indexOf('/') <= groupName.length() - 1) {
+                            if (pkg.containsKey("version")) {
+                                final String group = groupName.substring(0, groupName.indexOf('/'));
+                                final String project = groupName.substring(groupName.indexOf('/') + 1);
+                                String version = pkg.getString("version");
+                                // Some version nubmers begin with v - which doesn't end up matching CPE's
+                                if (version.startsWith("v")) {
+                                    version = version.substring(1);
+                                }
+                                LOGGER.debug("Got package {}/{}/{}", group, project, version);
+                                composerDependencies.add(new ComposerDependency(group, project, version));
+                            } else {
+                                LOGGER.debug("Group/package {} does not have a version", groupName);
+                            }
+                        } else {
+                            LOGGER.debug("Got a dependency with no name");
+                        }
+                    }
+                }
+            }
+        } catch (JsonParsingException jsonpe) {
+            throw new ComposerException("Error parsing stream", jsonpe);
+        } catch (JsonException jsone) {
+            throw new ComposerException("Error reading stream", jsone);
+        } catch (IllegalStateException ise) {
+            throw new ComposerException("Illegal state in composer stream", ise);
+        } catch (ClassCastException cce) {
+            throw new ComposerException("Not exactly composer lock", cce);
+        }
+    }
+
+    /**
+     * Gets the list of dependencies.
+     *
+     * @return the list of dependencies
+     */
+    public List<ComposerDependency> getDependencies() {
+        return composerDependencies;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/package-info.java

@@ -0,0 +1,4 @@
+/**
+ * Model elements for PHP Composer files
+ */
+package org.owasp.dependencycheck.data.composer;

dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer

@@ -19,3 +19,4 @@ org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer
 org.owasp.dependencycheck.analyzer.CMakeAnalyzer
 org.owasp.dependencycheck.analyzer.NodePackageAnalyzer
 org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer
+org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -61,6 +61,7 @@ analyzer.archive.enabled=true
 analyzer.jar.enabled=true
 analyzer.nuspec.enabled=true
 analyzer.assembly.enabled=true
+analyzer.composer.lock.enabled=true
 
 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java

@@ -0,0 +1,101 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+
+import java.io.File;
+
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Unit tests for NodePackageAnalyzer.
+ *
+ * @author Dale Visser <dvisser@ida.org>
+ */
+public class ComposerLockAnalyzerTest extends BaseTest {
+
+    /**
+     * The analyzer to test.
+     */
+    ComposerLockAnalyzer analyzer;
+
+    /**
+     * Correctly setup the analyzer for testing.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @Before
+    public void setUp() throws Exception {
+        analyzer = new ComposerLockAnalyzer();
+        analyzer.setFilesMatched(true);
+        analyzer.initialize();
+    }
+
+    /**
+     * Cleanup the analyzer's temp files, etc.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @After
+    public void tearDown() throws Exception {
+        analyzer.close();
+        analyzer = null;
+    }
+
+    /**
+     * Test of getName method, of class ComposerLockAnalyzer.
+     */
+    @Test
+    public void testGetName() {
+        assertEquals("Composer.lock analyzer", analyzer.getName());
+    }
+
+    /**
+     * Test of supportsExtension method, of class ComposerLockAnalyzer.
+     */
+    @Test
+    public void testSupportsFiles() {
+        assertTrue(analyzer.accept(new File("composer.lock")));
+    }
+
+    /**
+     * Test of inspect method, of class PythonDistributionAnalyzer.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalyzePackageJson() throws Exception {
+        final Engine engine = new Engine();
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
+                "composer.lock"));
+        analyzer.analyze(result, engine);
+    }
+}

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/composer/ComposerLockParserTest.java

@@ -0,0 +1,68 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.composer;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.nio.charset.Charset;
+
+import static org.junit.Assert.*;
+
+/**
+ * Created by colezlaw on 9/5/15.
+ */
+public class ComposerLockParserTest {
+    private InputStream inputStream;
+
+    @Before
+    public void setUp() {
+        inputStream = this.getClass().getClassLoader().getResourceAsStream("composer.lock");
+    }
+
+    @Test
+    public void testValidComposerLock() {
+        ComposerLockParser clp = new ComposerLockParser(inputStream);
+        clp.process();
+        assertEquals(30, clp.getDependencies().size());
+        assertTrue(clp.getDependencies().contains(new ComposerDependency("symfony", "translation", "2.7.3")));
+    }
+
+    @Test(expected=ComposerException.class)
+    public void testNotJSON() throws Exception {
+        String input = "NOT VALID JSON";
+        ComposerLockParser clp = new ComposerLockParser(new ByteArrayInputStream(input.getBytes(Charset.defaultCharset())));
+        clp.process();
+    }
+
+    @Test(expected=ComposerException.class)
+    public void testNotComposer() throws Exception {
+        String input = "[\"ham\",\"eggs\"]";
+        ComposerLockParser clp = new ComposerLockParser(new ByteArrayInputStream(input.getBytes(Charset.defaultCharset())));
+        clp.process();
+    }
+
+    @Test(expected=ComposerException.class)
+    public void testNotPackagesArray() throws Exception {
+        String input = "{\"packages\":\"eleventy\"}";
+        ComposerLockParser clp = new ComposerLockParser(new ByteArrayInputStream(input.getBytes(Charset.defaultCharset())));
+        clp.process();
+    }
+}

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -225,6 +225,14 @@ public final class Settings {
          * The properties key for whether the node.js package analyzer is enabled.
          */
         public static final String ANALYZER_NODE_PACKAGE_ENABLED = "analyzer.node.package.enabled";
+        /**
+         * The properties key for whether the composer json file analyzer is enabled.
+         */
+        public static final String ANALYZER_COMPOSER_JSON_ENABLED = "analyzer.composer.json.enabled";
+        /**
+         * The properties key for whether the composer lock file analyzer is enabled.
+         */
+        public static final String ANALYZER_COMPOSER_LOCK_ENABLED = "analyzer.composer.lock.enabled";
         /**
          * The properties key for the Nexus search URL.
          */

src/site/markdown/analyzers/composer-lock.md

@@ -0,0 +1,7 @@
+Composer Lock Analyzer
+==============
+
+OWASP dependency-check includes an analyzer that scans composer.lock files to get exact dependency
+version information from PHP projects which are managed with [Composer](http://getcomposer.org/).
+If you're using Composer to manage your project, this will only analyze the `composer.lock` file
+currently, so you'll need to run `composer install` to have Composer generate this file.

src/site/markdown/analyzers/index.md

@@ -10,6 +10,7 @@ to extract identification information from the files analyzed.
 | [Autoconf](./autoconf.html) | Autoconf project configuration files (configure, configure.in, configure.ac) | [Regex](https://en.wikipedia.org/wiki/Regular_expression) scan for AC_INIT metadata, including in generated configuration script. |
 | [Central](./central-analyzer.html) | Java archive files (\*.jar) | Searches Maven Central or a configured Nexus repository for the file's SHA1 hash. |
 | [CMake](./cmake.html) | CMake project files (CMakeLists.txt) and scripts (\*.cmake) | Regex scan for project initialization and version setting commands. |
+| [Composer Lock](./composer-lock.html) | PHP [Composer](http://getcomposer.org) Lock files (composer.lock) | Parses PHP [Composer](http://getcomposer.org) lock files for exact versions of dependencies. | 
 | [Jar](./jar-analyzer.html) | Java archive files (\*.jar); Web application archive (\*.war) | Examines archive manifest metadata, and Maven Project Object Model files (pom.xml). |
 | [Nexus](./nexus-analyzer.html) | Java archive files (\*.jar) | Searches Sonatype or a configured Nexus repository for the file's SHA1 hash. In most cases, superceded by Central . |
 | [Node.js](./nodejs.html) | NPM package specification files (package.json) | Parse JSON format for metadata. |