Support Composer (PHP) Package Manager

[maennchen]

Is your feature request related to a problem? Please describe.

Scorecard currently does not recognize the package manager composer (PHP).

Describe the solution you'd like

Scorecard should recognize that composer is used.

How are packages published with composer?

The default & public package registry is called Packagist.

The packages are pulled by the registry and not pushed like with most other registries.

Steps:

• Create a composer.json file with "type": "library"
• Configure packagist to pull Git Repository
• Optional: Create a Webhook so that new versions are recognized quickly

Detection

To detect if a project is publishing using composer, the following rules should work:

• Check if there's a file called composer.json
• Check if composer.json#.type is not set to project - https://getcomposer.org/doc/04-schema.md#type
• Call https://repo.packagist.org/p2/[composer.json#.name].json to see if the package is published - https://packagist.org/apidoc#get-package-data
• Check if response#.packages.[composer.json#.name][*].source.url is equal to the git repository which is being scored

The latter two checks are a bit more involved. But depending on how accurate this checks need to be, they could also be skipped.

Describe alternatives you've considered

None.

Additional context

• Example Project: https://github.com/maennchen/ZipStream-PHP
• Example published package: https://packagist.org/packages/maennchen/zipstream-php