@cyclonedx/cdxgen 12.1.0 → 12.1.2

package/README.md

@@ -540,7 +540,19 @@ const dbody = await submitBom(args, bomNSData.bomJson);
 
 ## Contributing
 
-Please check out our [contribute to CycloneDX/cdxgen documentation][github-contribute] if you are interested in helping.
+Please check out our [open issues][github-contribute] if you are interested in helping.
+
+### Codeberg Mirror
+
+The project is mirrored on [Codeberg](https://codeberg.org/cdxgen/cdxgen). Users can clone the repository using the following URL:
+
+```shell
+git clone https://codeberg.org/cdxgen/cdxgen.git
+```
+
+The maintainers accept Pull Requests (PRs) against the Codeberg repository.
+
+> **Note:** The Codeberg repository is currently synced manually from GitHub.
 
 Before raising a PR, please run the following commands.
 
@@ -588,6 +600,10 @@ Some features are funded through [NGI Zero Core](https://nlnet.nl/core), a fund
 [<img src="https://nlnet.nl/logo/banner.png" alt="NLnet foundation logo" width="20%" />](https://nlnet.nl)
 [<img src="https://nlnet.nl/image/logos/NGI0_tag.svg" alt="NGI Zero Logo" width="20%" />](https://nlnet.nl/core)
 
+cdxgen is an OWASP Foundation production project.
+
+[<img src="https://owasp.org/assets/images/logo.png" width="20%" />](https://owasp.org)
+
 <!-- LINK LABELS -->
 <!-- Badges -->
 

package/bin/dependencies.js

@@ -61,15 +61,35 @@ for (const override in pkgJson.pnpm.overrides) {
   checkObsolescence(override, obsoletePnpmOverrides);
 }
 
-export function checkDependencies() {
-  return (
-    incorrectNpmOverridesVersions.length +
-    incorrectPnpmOverridesVersions.length +
-    missingNpmOverrides.length +
-    missingPnpmOverrides.length +
-    obsoleteNpmOverrides.length +
-    obsoletePnpmOverrides.length
+if (missingNpmOverrides.length) {
+  console.log("\nThe following dependencies are not in the 'overrides'-block:");
+  console.log(missingNpmOverrides.join(",\n"));
+}
+if (incorrectNpmOverridesVersions.length) {
+  console.log(
+    "\nThe following dependencies have a different version in the 'overrides'-block:",
+  );
+  console.log(incorrectNpmOverridesVersions.join("\n"));
+}
+if (missingPnpmOverrides.length) {
+  console.log(
+    "\nThe following dependencies are not in the 'pnpm.overrides'-block:",
+  );
+  console.log(missingPnpmOverrides.join(",\n"));
+}
+if (incorrectPnpmOverridesVersions.length) {
+  console.log(
+    "\nThe following dependencies have a different version in the 'pnpm.overrides'-block:",
   );
+  console.log(incorrectPnpmOverridesVersions.join("\n"));
+}
+if (obsoleteNpmOverrides.length) {
+  console.log("\nThe following entries in 'overrides' are not used:");
+  console.log(obsoleteNpmOverrides.join("\n"));
+}
+if (obsoletePnpmOverrides.length) {
+  console.log("\nThe following entries in 'pnpm.overrides' are not used:");
+  console.log(obsoletePnpmOverrides.join("\n"));
 }
 
 function checkOverride(packageName, packageVersion) {
@@ -99,33 +119,13 @@ function checkObsolescence(override, obsoletionArray) {
   }
 }
 
-if (missingNpmOverrides.length) {
-  console.log("The following dependencies are not in the 'overrides'-block:");
-  console.log(missingNpmOverrides.join(",\n"));
-}
-if (incorrectNpmOverridesVersions.length) {
-  console.log(
-    "The following dependencies have a different version in the 'overrides'-block:",
-  );
-  console.log(incorrectNpmOverridesVersions.join("\n"));
-}
-if (missingPnpmOverrides.length) {
-  console.log(
-    "The following dependencies are not in the 'pnpm.overrides'-block:",
-  );
-  console.log(missingPnpmOverrides.join(",\n"));
-}
-if (incorrectPnpmOverridesVersions.length) {
-  console.log(
-    "The following dependencies have a different version in the 'pnpm.overrides'-block:",
+export function checkDependencies() {
+  return (
+    incorrectNpmOverridesVersions.length +
+    incorrectPnpmOverridesVersions.length +
+    missingNpmOverrides.length +
+    missingPnpmOverrides.length +
+    obsoleteNpmOverrides.length +
+    obsoletePnpmOverrides.length
   );
-  console.log(incorrectPnpmOverridesVersions.join("\n"));
-}
-if (obsoleteNpmOverrides.length) {
-  console.log("The following entries in 'overrides' are not used:");
-  console.log(obsoleteNpmOverrides.join("\n"));
-}
-if (obsoletePnpmOverrides.length) {
-  console.log("The following entries in 'pnpm.overrides' are not used:");
-  console.log(obsoletePnpmOverrides.join("\n"));
 }

package/bin/licenses.js

@@ -0,0 +1,78 @@
+#!/usr/bin/env node
+
+import { existsSync, readFileSync } from "node:fs";
+
+const CURRENT_LICENSES = [
+  "Apache-2.0",
+  "BSD-2-Clause",
+  "BSD-3-Clause",
+  "BlueOak-1.0.0",
+  "CC-BY-3.0",
+  "CC0-1.0",
+  "ISC",
+  "MIT",
+  "WTFPL",
+];
+
+const newLicenses = new Map();
+const noLicenses = [];
+
+if (existsSync("./bom.json")) {
+  const sbom = JSON.parse(readFileSync("./bom.json", "utf8"));
+
+  for (const component of sbom.components) {
+    const componentID =
+      (component.group !== "" ? `${component.group}/` : "") +
+      `${component.name}@${component.version}`;
+    if (component.licenses) {
+      for (const license of component.licenses) {
+        if (license.license) {
+          if (!CURRENT_LICENSES.includes(license.license.id)) {
+            newLicenses.set(componentID, license.license.id);
+          }
+        } else if (license.expression) {
+          const licenses = license.expression
+            .replaceAll("(", "")
+            .replaceAll(")", "")
+            .split(/ (?:and|or) /i);
+          for (const aLicense of licenses) {
+            if (!CURRENT_LICENSES.includes(aLicense)) {
+              newLicenses.set(componentID, license.expression);
+              break;
+            }
+          }
+        } else {
+          noLicenses.push(componentID);
+        }
+      }
+    } else {
+      noLicenses.push(componentID);
+    }
+  }
+
+  if (newLicenses.size) {
+    console.log(
+      "The following dependencies have licenses that are not yet used in the project:",
+    );
+    for (const dependency of newLicenses.keys()) {
+      console.log(`  - ${dependency}: ${newLicenses.get(dependency)}`);
+    }
+    console.log(
+      "If the licenses are allowed, add them to CURRENT_LICENSES in 'bin/licenses.js'.",
+    );
+  }
+
+  if (noLicenses.length) {
+    console.log("The following dependencies have NO license:");
+    for (const dependency of noLicenses) {
+      console.log(`  - ${dependency}`);
+    }
+    console.log(
+      "If this is correct and the dependency should be allowed, an ignore mechanism should be implemented!",
+    );
+  }
+}
+
+export function checkLicenses() {
+  return newLicenses.size + noLicenses.length;
+}

package/data/spdx.schema.json

@@ -1,7 +1,7 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "$id": "http://cyclonedx.org/schema/spdx.schema.json",
-  "$comment": "v1.0-3.27.0",
+  "$comment": "v1.0-3.28.0",
   "type": "string",
   "enum": [
     "0BSD",
@@ -14,6 +14,7 @@
     "Adobe-Glyph",
     "Adobe-Utopia",
     "ADSL",
+    "Advanced-Cryptics-Dictionary",
     "AFL-1.1",
     "AFL-1.2",
     "AFL-2.0",
@@ -27,6 +28,7 @@
     "AGPL-3.0-only",
     "AGPL-3.0-or-later",
     "Aladdin",
+    "ALGLIB-Documentation",
     "AMD-newlib",
     "AMDPLPA",
     "AML",
@@ -68,6 +70,7 @@
     "BlueOak-1.0.0",
     "Boehm-GC",
     "Boehm-GC-without-fee",
+    "BOLA-1.1",
     "Borceux",
     "Brian-Gladman-2-Clause",
     "Brian-Gladman-3-Clause",
@@ -94,6 +97,7 @@
     "BSD-3-Clause-No-Nuclear-Warranty",
     "BSD-3-Clause-Open-MPI",
     "BSD-3-Clause-Sun",
+    "BSD-3-Clause-Tso",
     "BSD-4-Clause",
     "BSD-4-Clause-Shortened",
     "BSD-4-Clause-UC",
@@ -102,12 +106,14 @@
     "BSD-Advertising-Acknowledgement",
     "BSD-Attribution-HPND-disclaimer",
     "BSD-Inferno-Nettverk",
+    "BSD-Mark-Modifications",
     "BSD-Protection",
     "BSD-Source-beginning-file",
     "BSD-Source-Code",
     "BSD-Systemics",
     "BSD-Systemics-W3Works",
     "BSL-1.0",
+    "Buddy",
     "BUSL-1.1",
     "bzip2-1.0.5",
     "bzip2-1.0.6",
@@ -116,6 +122,7 @@
     "CAL-1.0-Combined-Work-Exception",
     "Caldera",
     "Caldera-no-preamble",
+    "CAPEC-tou",
     "Catharon",
     "CATOSL-1.1",
     "CC-BY-1.0",
@@ -245,6 +252,9 @@
     "EPL-1.0",
     "EPL-2.0",
     "ErlPL-1.1",
+    "ESA-PL-permissive-2.4",
+    "ESA-PL-strong-copyleft-2.4",
+    "ESA-PL-weak-copyleft-2.4",
     "etalab-2.0",
     "EUDatagrid",
     "EUPL-1.0",
@@ -350,11 +360,14 @@
     "HPND-sell-MIT-disclaimer-xserver",
     "HPND-sell-regexpr",
     "HPND-sell-variant",
+    "HPND-sell-variant-critical-systems",
     "HPND-sell-variant-MIT-disclaimer",
     "HPND-sell-variant-MIT-disclaimer-rev",
+    "HPND-SMC",
     "HPND-UC",
     "HPND-UC-export-US",
     "HTMLTIDY",
+    "hyphen-bulgarian",
     "IBM-pibs",
     "ICU",
     "IEC-Code-Components-EULA",
@@ -373,6 +386,7 @@
     "IPL-1.0",
     "ISC",
     "ISC-Veillard",
+    "ISO-permission",
     "Jam",
     "JasPer-2.0",
     "jove",
@@ -450,10 +464,12 @@
     "MIT-Khronos-old",
     "MIT-Modern-Variant",
     "MIT-open-group",
+    "MIT-STK",
     "MIT-testregex",
     "MIT-Wu",
     "MITNFA",
     "MMIXware",
+    "MMPL-1.0.1",
     "Motosoto",
     "MPEG-SSG",
     "mpi-permissive",
@@ -487,6 +503,7 @@
     "NICTA-1.0",
     "NIST-PD",
     "NIST-PD-fallback",
+    "NIST-PD-TNT",
     "NIST-Software",
     "NLOD-1.0",
     "NLOD-2.0",
@@ -540,6 +557,7 @@
     "OLDAP-2.8",
     "OLFL-1.3",
     "OML",
+    "OpenMDW-1.0",
     "OpenPBS-2.3",
     "OpenSSL",
     "OpenSSL-standalone",
@@ -547,13 +565,16 @@
     "OPL-1.0",
     "OPL-UK-3.0",
     "OPUBL-1.0",
+    "OSC-1.0",
     "OSET-PL-2.1",
     "OSL-1.0",
     "OSL-1.1",
     "OSL-2.0",
     "OSL-2.1",
     "OSL-3.0",
+    "OSSP",
     "PADL",
+    "ParaType-Free-Font-1.3",
     "Parity-6.0.0",
     "Parity-7.0.0",
     "PDDL-1.0",
@@ -598,6 +619,7 @@
     "SGI-B-1.1",
     "SGI-B-2.0",
     "SGI-OpenGL",
+    "SGMLUG-PM",
     "SGP4",
     "SHL-0.5",
     "SHL-0.51",
@@ -635,6 +657,7 @@
     "TAPR-OHL-1.0",
     "TCL",
     "TCP-wrappers",
+    "TekHVC",
     "TermReadKey",
     "TGPPL-1.0",
     "ThirdEye",
@@ -662,9 +685,11 @@
     "Unlicense",
     "Unlicense-libtelnet",
     "Unlicense-libwhirlpool",
+    "UnRAR",
     "UPL-1.0",
     "URT-RLE",
     "Vim",
+    "Vixie-Cron",
     "VOSTROM",
     "VSL-1.0",
     "W3C",
@@ -673,12 +698,15 @@
     "w3m",
     "Watcom-1.0",
     "Widget-Workshop",
+    "WordNet",
     "Wsuipa",
+    "WTFNMFPL",
     "WTFPL",
     "wwl",
     "wxWindows",
     "X11",
     "X11-distribute-modifications-variant",
+    "X11-no-permit-persons",
     "X11-swapped",
     "Xdebug-1.03",
     "Xerox",
@@ -716,6 +744,7 @@
     "Bootloader-exception",
     "CGAL-linking-exception",
     "Classpath-exception-2.0",
+    "Classpath-exception-2.0-short",
     "CLISP-exception-2.0",
     "cryptsetup-OpenSSL-exception",
     "Digia-Qt-LGPL-exception-1.1",
@@ -746,6 +775,7 @@
     "i2p-gpl-java-exception",
     "Independent-modules-exception",
     "KiCad-libraries-exception",
+    "kvirc-openssl-exception",
     "LGPL-3.0-linking-exception",
     "libpri-OpenH323-exception",
     "Libtool-exception",
@@ -769,9 +799,12 @@
     "Qwt-exception-1.0",
     "romic-exception",
     "RRDtool-FLOSS-exception-2.0",
+    "rsync-linking-exception",
     "SANE-exception",
     "SHL-2.0",
     "SHL-2.1",
+    "Simple-Library-Usage-exception",
+    "sqlitestudio-OpenSSL-exception",
     "stunnel-exception",
     "SWI-exception",
     "Swift-exception",
@@ -783,4 +816,4 @@
     "WxWindows-exception-3.1",
     "x11vnc-openssl-exception"
   ]
-}
+}