Not finding vulnerabilities in php (composer)

[josecoimbra]

What happened: Using grype as usual with a php (composer) project: grype dir:. produces an empty list of vulnerabilities.

What you expected to happen: A list of vulnerabilities.

How to reproduce it (as minimally and precisely as possible): I tried with this project, which is a composer project, and grype found no vulnerabilities. Even checking out tags of older versions.

Environment:

• Output of grype version:

$ grype version
Application:          grype
Version:              0.40.0
Syft Version:         v0.48.1
BuildDate:            2022-06-17T16:15:24Z
GitCommit:            0703bae9778e661e2cc21d5caa816cda30472b14
GitDescription:       v0.40.0
Platform:             linux/amd64
GoVersion:            go1.18.3
Compiler:             gc
Supported DB Schema:  3

• OS (e.g: cat /etc/os-release or similar):

$ cat /etc/os-release 
PRETTY_NAME="Ubuntu 21.10"
NAME="Ubuntu"
VERSION_ID="21.10"
VERSION="21.10 (Impish Indri)"
VERSION_CODENAME=impish
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=impish

[cpendery]

@josecoimbra Added an issue in Syft since it doesn't have a cataloger for composer.json files. Adding that should resolve this issue