@cyclonedx/cdxgen 12.1.5 → 12.2.1

package/lib/helpers/versutils.js

@@ -0,0 +1,202 @@
+function parseVersion(v) {
+  const m = v.match(/^([><=^~]+)?(.*)$/);
+  const ver = m ? m[2] : v;
+  if (ver === "*")
+    return { major: 0, minor: 0, patch: 0, pre: "", op: "", isStar: true };
+  const parts = ver.split("-");
+  const main = parts[0].split(".");
+  return {
+    op: m ? m[1] || "" : "",
+    major: Number.parseInt(main[0] || "0", 10),
+    minor: Number.parseInt(main[1] || "0", 10),
+    patch: Number.parseInt(main[2] || "0", 10),
+    pre: parts.slice(1).join("-"),
+  };
+}
+
+/**
+ * Converts a package.json npm version specifier to a VERS format range.
+ *
+ * @param {string} versionString - The native npm semver string.
+ * @returns {string} The formatted vers:npm range string.
+ */
+export function toVersRange(versionString) {
+  if (!versionString || typeof versionString !== "string") {
+    return "";
+  }
+  let str = versionString.trim();
+  if (!str) {
+    return "";
+  }
+  if (str === "latest" || str.startsWith("workspace:")) {
+    return "";
+  }
+  if (str === "*") {
+    return "vers:npm/*";
+  }
+  // Replace hyphen ranges: A - B -> >=A <=B
+  str = str.replace(/([\w.-]+)\s+-\s+([\w.-]+)/g, ">= $1 <= $2");
+
+  // Split logical ORs
+  const ors = str.split("||").map((s) => s.trim());
+  const allBounds = [];
+
+  for (let part of ors) {
+    // Normalize spaces after operators to attach them to the version
+    part = part.replace(/([><=^~]+)\s+/g, "$1");
+    part = part.replace(/\s+/g, " ");
+
+    const tokens = part.split(" ").filter(Boolean);
+
+    for (let token of tokens) {
+      // Strip the 'v' prefix if present (e.g. >=v1.2.3 -> >=1.2.3)
+      token = token.replace(/^([><=^~]+)?v/i, (_match, op) => op || "");
+
+      if (token === "*") {
+        allBounds.push("*");
+        continue;
+      }
+
+      const match = token.match(/^([><=^~]+)?(.*)$/);
+      const op = match[1] || "";
+      let ver = match[2];
+
+      if (ver === "*") {
+        allBounds.push("*");
+        continue;
+      }
+
+      // Pad versions (e.g., '1' -> '1.0.0', '1.1' -> '1.1.0')
+      if (/^\d+$/.test(ver)) {
+        ver += ".0.0";
+      } else if (/^\d+\.\d+$/.test(ver)) {
+        ver += ".0";
+      }
+
+      // Handle .x or .* ranges
+      if (ver.endsWith(".x") || ver.endsWith(".*")) {
+        const parts = ver.split(".");
+        if (parts[1] === "x" || parts[1] === "*") {
+          const M = Number.parseInt(parts[0], 10);
+          allBounds.push(`>=${M}.0.0`, `<${M + 1}.0.0`);
+        } else if (parts[2] === "x" || parts[2] === "*") {
+          const M = parts[0];
+          const m_minor = Number.parseInt(parts[1], 10);
+          allBounds.push(`>=${M}.${m_minor}.0`, `<${M}.${m_minor + 1}.0`);
+        }
+        continue;
+      }
+
+      // Caret (^) expansion
+      if (op === "^") {
+        const m = ver.match(/^(\d+)\.(\d+)\.(\d+)(.*)$/);
+        if (!m) {
+          allBounds.push(`${op}${ver}`);
+          continue;
+        }
+        const M = Number.parseInt(m[1], 10);
+        const m_minor = Number.parseInt(m[2], 10);
+        const p = Number.parseInt(m[3], 10);
+        let upper;
+        if (M > 0) {
+          upper = `${M + 1}.0.0`;
+        } else if (m_minor > 0) {
+          upper = `0.${m_minor + 1}.0`;
+        } else {
+          upper = `0.0.${p + 1}`;
+        }
+        allBounds.push(`>=${ver}`, `<${upper}`);
+        continue;
+      }
+
+      // Tilde (~) expansion
+      if (op === "~") {
+        const m = ver.match(/^(\d+)\.(\d+)\.(\d+)(.*)$/);
+        if (!m) {
+          allBounds.push(`${op}${ver}`);
+          continue;
+        }
+        if (ver.includes("-pre")) {
+          const sv = parseVersion(ver);
+          const upper = `${sv.major}.${sv.minor}.0`;
+          const upper_1 = `${sv.major}.${sv.minor}.1`;
+          allBounds.push(`>=${ver}`, `<${upper}`, `>=${upper}`, `<${upper_1}`);
+          continue;
+        }
+        const M = Number.parseInt(m[1], 10);
+        const m_minor = Number.parseInt(m[2], 10);
+        const upper = `${M}.${m_minor + 1}.0`;
+        allBounds.push(`>=${ver}`, `<${upper}`);
+        continue;
+      }
+
+      if (op === "=") {
+        allBounds.push(ver);
+        continue;
+      }
+
+      // Exact fallback matches
+      if (op === "") {
+        allBounds.push(ver);
+        continue;
+      }
+
+      allBounds.push(op + ver);
+    }
+  }
+
+  // Sort all bounded intervals linearly mapped by semver precedence
+  allBounds.sort((aStr, bStr) => {
+    if (aStr === "*" && bStr === "*") return 0;
+    if (aStr === "*") return -1;
+    if (bStr === "*") return 1;
+
+    const a = parseVersion(aStr);
+    const b = parseVersion(bStr);
+
+    if (a.major !== b.major) return a.major - b.major;
+    if (a.minor !== b.minor) return a.minor - b.minor;
+    if (a.patch !== b.patch) return a.patch - b.patch;
+
+    if (a.pre && !b.pre) return -1;
+    if (!a.pre && b.pre) return 1;
+
+    if (a.pre && b.pre) {
+      if (a.pre !== b.pre) {
+        const aPre = a.pre.split(".");
+        const bPre = b.pre.split(".");
+        for (let i = 0; i < Math.max(aPre.length, bPre.length); i++) {
+          const ap = aPre[i];
+          const bp = bPre[i];
+
+          if (ap === undefined) return -1;
+          if (bp === undefined) return 1;
+
+          const apNum = /^\d+$/.test(ap);
+          const bpNum = /^\d+$/.test(bp);
+
+          if (apNum && bpNum) {
+            const diff = Number.parseInt(ap, 10) - Number.parseInt(bp, 10);
+            if (diff !== 0) return diff;
+          } else if (apNum && !bpNum) {
+            return -1;
+          } else if (!apNum && bpNum) {
+            return 1;
+          } else {
+            if (ap < bp) return -1;
+            if (ap > bp) return 1;
+          }
+        }
+      }
+    }
+
+    const opOrder = { "<": 1, "<=": 2, "": 3, ">=": 4, ">": 5 };
+    const aOp = opOrder[a.op] || 3;
+    const bOp = opOrder[b.op] || 3;
+    if (aOp !== bOp) return aOp - bOp;
+
+    return 0;
+  });
+
+  return `vers:npm/${allBounds.join("|")}`;
+}

package/lib/helpers/versutils.poku.js

@@ -0,0 +1,315 @@
+import { strict as assert } from "node:assert";
+
+import { describe, it } from "poku";
+
+import { toVersRange } from "./versutils.js";
+
+describe("toVersRange", () => {
+  // === Basic Validation ===
+  describe("input validation", () => {
+    it("should return empty for null/undefined/empty", () => {
+      assert.strictEqual(toVersRange(null), "");
+      assert.strictEqual(toVersRange(undefined), "");
+      assert.strictEqual(toVersRange(""), "");
+      assert.strictEqual(toVersRange("   "), "");
+    });
+
+    it("should return empty for non-string input", () => {
+      assert.strictEqual(toVersRange(123), "");
+      assert.strictEqual(toVersRange({}), "");
+      assert.strictEqual(toVersRange([]), "");
+    });
+  });
+
+  // === Special Markers ===
+  describe("special markers", () => {
+    it("should handle wildcard '*'", () => {
+      assert.strictEqual(toVersRange("*"), "vers:npm/*");
+    });
+
+    it("should return empty for 'latest'", () => {
+      assert.strictEqual(toVersRange("latest"), "");
+    });
+
+    it("should return empty for workspace:* references", () => {
+      assert.strictEqual(toVersRange("workspace:*"), "");
+      assert.strictEqual(toVersRange("workspace:^1.0.0"), "");
+      assert.strictEqual(toVersRange("workspace:~"), "");
+    });
+  });
+
+  // === Simple Operators ===
+  describe("simple comparison operators", () => {
+    it("should handle >= operator", () => {
+      assert.strictEqual(toVersRange(">=4.1.0"), "vers:npm/>=4.1.0");
+      assert.strictEqual(toVersRange(">= 1.6.9"), "vers:npm/>=1.6.9");
+      assert.strictEqual(
+        toVersRange(">=v2.0.0-alpha8"),
+        "vers:npm/>=2.0.0-alpha8",
+      );
+    });
+
+    it("should handle <= operator", () => {
+      assert.strictEqual(toVersRange("<=4.0.4"), "vers:npm/<=4.0.4");
+      assert.strictEqual(toVersRange("<= 1.6.8"), "vers:npm/<=1.6.8");
+      assert.strictEqual(
+        toVersRange("<=v2.0.0-alpha7"),
+        "vers:npm/<=2.0.0-alpha7",
+      );
+    });
+
+    it("should handle < operator", () => {
+      assert.strictEqual(toVersRange("<0.0.0"), "vers:npm/<0.0.0");
+      assert.strictEqual(toVersRange("<2.11.2"), "vers:npm/<2.11.2");
+      assert.strictEqual(toVersRange("< 6.1.0"), "vers:npm/<6.1.0");
+    });
+
+    it("should handle > operator", () => {
+      assert.strictEqual(toVersRange(">0.12.7"), "vers:npm/>0.12.7");
+      assert.strictEqual(toVersRange("> 0.9.6"), "vers:npm/>0.9.6");
+      assert.strictEqual(toVersRange(">3.0.0"), "vers:npm/>3.0.0");
+    });
+
+    it("should handle = operator (exact version)", () => {
+      assert.strictEqual(toVersRange("=3.0.0-rc.1"), "vers:npm/3.0.0-rc.1");
+    });
+  });
+
+  // === Exact Versions ===
+  describe("exact versions", () => {
+    it("should convert plain version strings", () => {
+      assert.strictEqual(toVersRange("2.1.4"), "vers:npm/2.1.4");
+      assert.strictEqual(toVersRange("7.0.0"), "vers:npm/7.0.0");
+      assert.strictEqual(toVersRange("2.3.21"), "vers:npm/2.3.21");
+    });
+
+    it("should handle prerelease exact versions", () => {
+      assert.strictEqual(toVersRange("2.1.0-M1"), "vers:npm/2.1.0-M1");
+      assert.strictEqual(toVersRange("3.0.0-rc.1"), "vers:npm/3.0.0-rc.1");
+    });
+
+    it("should strip 'v' prefix from versions", () => {
+      assert.strictEqual(toVersRange("v2.0.0"), "vers:npm/2.0.0");
+      assert.strictEqual(
+        toVersRange(">=v2.0.0-alpha8"),
+        "vers:npm/>=2.0.0-alpha8",
+      );
+    });
+  });
+
+  // === AND Conditions (space-separated) ===
+  describe("AND conditions (space-separated)", () => {
+    it("should convert space-separated ranges to pipe-separated", () => {
+      assert.strictEqual(
+        toVersRange(">=2.0.0 <=4.0.4"),
+        "vers:npm/>=2.0.0|<=4.0.4",
+      );
+      assert.strictEqual(
+        toVersRange(">= 2.0.1 <3.0.2"),
+        "vers:npm/>=2.0.1|<3.0.2",
+      );
+      assert.strictEqual(
+        toVersRange(">= 15.0.0 <= 16.1.0"),
+        "vers:npm/>=15.0.0|<=16.1.0",
+      );
+      assert.strictEqual(
+        toVersRange(">=5.0.3 >=4.2.1"),
+        "vers:npm/>=4.2.1|>=5.0.3",
+      );
+    });
+
+    it("should handle two-part version padding in AND ranges", () => {
+      assert.strictEqual(
+        toVersRange("<=2.1 >=1.1"),
+        "vers:npm/>=1.1.0|<=2.1.0",
+      );
+    });
+  });
+
+  // === OR Conditions (||) ===
+  describe("OR conditions (||)", () => {
+    it("should convert || to single |", () => {
+      assert.strictEqual(
+        toVersRange(">=1.5.2 || >=1.4.11 <1.5.0 || >=1.3.2 <1.4.0"),
+        "vers:npm/>=1.3.2|<1.4.0|>=1.4.11|<1.5.0|>=1.5.2",
+      );
+      assert.strictEqual(
+        toVersRange(">=1.3.0 <1.3.2 || >=1.4.0 <1.4.11 || >=1.5.0 <1.5.2"),
+        "vers:npm/>=1.3.0|<1.3.2|>=1.4.0|<1.4.11|>=1.5.0|<1.5.2",
+      );
+    });
+
+    it("should handle complex OR ranges", () => {
+      assert.strictEqual(
+        toVersRange(
+          ">=3.5.1 <4.0.0 || >=4.1.3 <5.0.0 || >=5.6.1 <6.0.0 || >=6.1.2",
+        ),
+        "vers:npm/>=3.5.1|<4.0.0|>=4.1.3|<5.0.0|>=5.6.1|<6.0.0|>=6.1.2",
+      );
+      assert.strictEqual(
+        toVersRange(">=2.5.0 <= 3.0.0 || >=3.1.0"),
+        "vers:npm/>=2.5.0|<=3.0.0|>=3.1.0",
+      );
+    });
+
+    it("should handle exact versions in OR ranges", () => {
+      assert.strictEqual(
+        toVersRange("2.1.0-M1 || 2.1.0-M2"),
+        "vers:npm/2.1.0-M1|2.1.0-M2",
+      );
+      assert.strictEqual(
+        toVersRange("=3.10.1 || >=3.10.3"),
+        "vers:npm/3.10.1|>=3.10.3",
+      );
+      assert.strictEqual(toVersRange("2.1 || 2.6"), "vers:npm/2.1.0|2.6.0");
+    });
+  });
+
+  // === Caret Ranges (^) ===
+  describe("caret ranges (^)", () => {
+    it("should expand caret for major >= 1", () => {
+      assert.strictEqual(toVersRange("^1.2.9"), "vers:npm/>=1.2.9|<2.0.0");
+      assert.strictEqual(toVersRange("^2.0.18"), "vers:npm/>=2.0.18|<3.0.0");
+      assert.strictEqual(toVersRange("^4.0.8"), "vers:npm/>=4.0.8|<5.0.0");
+    });
+
+    it("should expand caret for major = 0, minor > 0", () => {
+      assert.strictEqual(
+        toVersRange("^0.2.1-beta"),
+        "vers:npm/>=0.2.1-beta|<0.3.0",
+      );
+      assert.strictEqual(toVersRange("^0.2.3"), "vers:npm/>=0.2.3|<0.3.0");
+    });
+
+    it("should expand caret for major = 0, minor = 0", () => {
+      assert.strictEqual(
+        toVersRange("^0.0.2-beta"),
+        "vers:npm/>=0.0.2-beta|<0.0.3",
+      );
+      assert.strictEqual(toVersRange("^0.0.3"), "vers:npm/>=0.0.3|<0.0.4");
+    });
+
+    it("should handle caret with prerelease", () => {
+      assert.strictEqual(
+        toVersRange("^1.2.3-beta.1"),
+        "vers:npm/>=1.2.3-beta.1|<2.0.0",
+      );
+      assert.strictEqual(
+        toVersRange("^5.0.0-beta.5"),
+        "vers:npm/>=5.0.0-beta.5|<6.0.0",
+      );
+    });
+
+    it("should handle multiple caret ranges with OR", () => {
+      assert.strictEqual(
+        toVersRange("^2.0.18 || ^3.0.16 || ^3.1.6 || ^4.0.8 || ^5.0.0-beta.5"),
+        "vers:npm/>=2.0.18|<3.0.0|>=3.0.16|>=3.1.6|<4.0.0|<4.0.0|>=4.0.8|>=5.0.0-beta.5|<5.0.0|<6.0.0",
+      );
+    });
+  });
+
+  // === Tilde Ranges (~) ===
+  describe("tilde ranges (~)", () => {
+    it("should expand tilde ranges", () => {
+      assert.strictEqual(toVersRange("~3.8.2"), "vers:npm/>=3.8.2|<3.9.0");
+      assert.strictEqual(toVersRange("~1.6.5"), "vers:npm/>=1.6.5|<1.7.0");
+    });
+
+    it("should handle tilde with prerelease", () => {
+      assert.strictEqual(
+        toVersRange("~0.8.0-pre"),
+        "vers:npm/>=0.8.0-pre|<0.8.0|>=0.8.0|<0.8.1",
+      );
+    });
+
+    it("should handle tilde in OR ranges", () => {
+      assert.strictEqual(
+        toVersRange("~1.6.5 || >=1.7.2"),
+        "vers:npm/>=1.6.5|<1.7.0|>=1.7.2",
+      );
+      assert.strictEqual(
+        toVersRange("~0.2.2 || >=0.3.2"),
+        "vers:npm/>=0.2.2|<0.3.0|>=0.3.2",
+      );
+    });
+  });
+
+  // === X-Wildcard Ranges ===
+  describe("x-wildcard ranges", () => {
+    it("should expand major.x patterns", () => {
+      assert.strictEqual(toVersRange(">= 1.x"), "vers:npm/>=1.0.0|<2.0.0");
+      assert.strictEqual(toVersRange(">= 2.2.x"), "vers:npm/>=2.2.0|<2.3.0");
+    });
+
+    it("should expand minor.x patterns", () => {
+      assert.strictEqual(toVersRange("1.2.x"), "vers:npm/>=1.2.0|<1.3.0");
+      assert.strictEqual(
+        toVersRange("2.0.x || 2.1.x"),
+        "vers:npm/>=2.0.0|<2.1.0|>=2.1.0|<2.2.0",
+      );
+    });
+  });
+
+  // === Hyphen Ranges ===
+  describe("hyphen ranges", () => {
+    it("should convert hyphen ranges to >= and <=", () => {
+      assert.strictEqual(
+        toVersRange("5.0.0 - 7.2.3"),
+        "vers:npm/>=5.0.0|<=7.2.3",
+      );
+    });
+  });
+
+  // === Version Padding ===
+  describe("version padding", () => {
+    it("should pad two-part versions to three parts", () => {
+      assert.strictEqual(toVersRange(">= 1.1"), "vers:npm/>=1.1.0");
+      assert.strictEqual(toVersRange("<= 1.0"), "vers:npm/<=1.0.0");
+      assert.strictEqual(toVersRange(">= 3.11"), "vers:npm/>=3.11.0");
+      assert.strictEqual(toVersRange("<3.11"), "vers:npm/<3.11.0");
+      assert.strictEqual(toVersRange(">=4.5"), "vers:npm/>=4.5.0");
+    });
+
+    it("should handle padded versions in ranges", () => {
+      assert.strictEqual(
+        toVersRange(">=3.11 <4 || >=4.5"),
+        "vers:npm/>=3.11.0|<4.0.0|>=4.5.0",
+      );
+    });
+  });
+
+  // === Edge Cases ===
+  describe("edge cases", () => {
+    it("should handle large version numbers", () => {
+      assert.strictEqual(
+        toVersRange("<=99.999.99999"),
+        "vers:npm/<=99.999.99999",
+      );
+      assert.strictEqual(toVersRange("<99.999.9999"), "vers:npm/<99.999.9999");
+    });
+
+    it("should handle spacing variations", () => {
+      assert.strictEqual(toVersRange(">= 1.6.9"), "vers:npm/>=1.6.9");
+      assert.strictEqual(toVersRange("<  2.0.5"), "vers:npm/<2.0.5");
+      assert.strictEqual(
+        toVersRange(">=3.4.6 < 4.0.0|| >=4.0.5"),
+        "vers:npm/>=3.4.6|<4.0.0|>=4.0.5",
+      );
+    });
+
+    it("should handle mixed operators in compound ranges", () => {
+      assert.strictEqual(
+        toVersRange("<5.0.3 >=5.0.0 || < 4.2.1"),
+        "vers:npm/<4.2.1|>=5.0.0|<5.0.3",
+      );
+      assert.strictEqual(
+        toVersRange("<1.6.5 || < 2.1.7 > 2.0.0"),
+        "vers:npm/<1.6.5|>2.0.0|<2.1.7",
+      );
+    });
+
+    it("should handle multiple exact versions", () => {
+      assert.strictEqual(toVersRange("1.1.2 1.2.2"), "vers:npm/1.1.2|1.2.2");
+    });
+  });
+});