Reachability: Tier-3 PHP analyzer (composerreach / phpreach)

[bomly-guy]

Goal

Add a Tier-3 (package-level) reachability analyzer for PHP / Composer projects, mirroring pyreach.

Mapping

PHP's namespace-to-Composer-package relationship is loose: the PSR-4 mapping in composer.json declares which namespace prefix belongs to which package, but app source uses use directives with namespace paths. Two viable approaches:

1. Curated prefix map (cheapest): Symfony\* → symfony/*, Doctrine\* → doctrine/*, Monolog\* → monolog/monolog, PhpOffice\* → phpoffice/*, ~50 well-known prefixes. Same shape as jvmreach.
2. Read installed package composer.json files (best when present): vendor/<vendor>/<package>/composer.json declares the exact PSR-4 prefixes. Gives 100% accuracy but requires composer install to have run.

Recommendation: ship #1 first, add #2 as an opportunistic refinement.

Scope

• New package internal/analyzers/composerreach/.
• Source walk: .php files under the project root. Skip vendor/, node_modules/, var/cache/, VCS dirs.
• Scanner: line-oriented use Vendor\Package\Class; / use Vendor\Package\{A, B}; / use function Vendor\fn; scanner. Drop relative (use Vendor\ inside same namespace).
• Mapping: longest-prefix match against the curated table. No identity fallback (namespace and package name share no convention in PHP either).
• Per-project FileCache invalidating on composer.lock content change.

Smoke fixture

A Veracode example-php-composer repo or a public Symfony demo pinned to a vulnerable commit.

References

• Template: internal/analyzers/jvmreach (closest in shape — curated prefix map, no identity fallback).
• Detector: internal/detectors/composer (already in tree).
• SDK: LanguagePHP + PackageManagerComposer exist.