npm - @cyclonedx/cyclonedx-library - Versions diffs - 1.0.0-beta.1 - Mend

@cyclonedx/cyclonedx-library 1.0.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/LICENSE +201 -0
package/NOTICE +5 -0
package/README.md +152 -0
package/dist.node/_index.node.js +53 -0
package/dist.node/_index.node.js.map +1 -0
package/dist.node/enums/attachmentEncoding.js +26 -0
package/dist.node/enums/attachmentEncoding.js.map +1 -0
package/dist.node/enums/componentScope.js +28 -0
package/dist.node/enums/componentScope.js.map +1 -0
package/dist.node/enums/componentType.js +33 -0
package/dist.node/enums/componentType.js.map +1 -0
package/dist.node/enums/externalReferenceType.js +41 -0
package/dist.node/enums/externalReferenceType.js.map +1 -0
package/dist.node/enums/hashAlogorithm.js +37 -0
package/dist.node/enums/hashAlogorithm.js.map +1 -0
package/dist.node/enums/index.js +40 -0
package/dist.node/enums/index.js.map +1 -0
package/dist.node/factories/index.js +36 -0
package/dist.node/factories/index.js.map +1 -0
package/dist.node/factories/licenseFactory.js +56 -0
package/dist.node/factories/licenseFactory.js.map +1 -0
package/dist.node/helpers/types.js +26 -0
package/dist.node/helpers/types.js.map +1 -0
package/dist.node/models/attachment.js +30 -0
package/dist.node/models/attachment.js.map +1 -0
package/dist.node/models/bom.js +67 -0
package/dist.node/models/bom.js.map +1 -0
package/dist.node/models/bomRef.js +37 -0
package/dist.node/models/bomRef.js.map +1 -0
package/dist.node/models/component.js +96 -0
package/dist.node/models/component.js.map +1 -0
package/dist.node/models/externalReference.js +40 -0
package/dist.node/models/externalReference.js.map +1 -0
package/dist.node/models/hash.js +29 -0
package/dist.node/models/hash.js.map +1 -0
package/dist.node/models/index.js +47 -0
package/dist.node/models/index.js.map +1 -0
package/dist.node/models/license.js +103 -0
package/dist.node/models/license.js.map +1 -0
package/dist.node/models/metadata.js +35 -0
package/dist.node/models/metadata.js.map +1 -0
package/dist.node/models/organizationalContact.js +41 -0
package/dist.node/models/organizationalContact.js.map +1 -0
package/dist.node/models/organizationalEntity.js +31 -0
package/dist.node/models/organizationalEntity.js.map +1 -0
package/dist.node/models/swid.js +58 -0
package/dist.node/models/swid.js.map +1 -0
package/dist.node/models/tool.js +45 -0
package/dist.node/models/tool.js.map +1 -0
package/dist.node/resources.node.js +55 -0
package/dist.node/resources.node.js.map +1 -0
package/dist.node/serialize/_index.node.js +37 -0
package/dist.node/serialize/_index.node.js.map +1 -0
package/dist.node/serialize/baseSerializer.js +56 -0
package/dist.node/serialize/baseSerializer.js.map +1 -0
package/dist.node/serialize/bomRefDiscriminator.js +66 -0
package/dist.node/serialize/bomRefDiscriminator.js.map +1 -0
package/dist.node/serialize/index.js +55 -0
package/dist.node/serialize/index.js.map +1 -0
package/dist.node/serialize/json/index.js +47 -0
package/dist.node/serialize/json/index.js.map +1 -0
package/dist.node/serialize/json/normalize.js +431 -0
package/dist.node/serialize/json/normalize.js.map +1 -0
package/dist.node/serialize/json/types.js +35 -0
package/dist.node/serialize/json/types.js.map +1 -0
package/dist.node/serialize/jsonSerializer.js +55 -0
package/dist.node/serialize/jsonSerializer.js.map +1 -0
package/dist.node/serialize/types.js +21 -0
package/dist.node/serialize/types.js.map +1 -0
package/dist.node/serialize/xml/index.js +47 -0
package/dist.node/serialize/xml/index.js.map +1 -0
package/dist.node/serialize/xml/normalize.js +560 -0
package/dist.node/serialize/xml/normalize.js.map +1 -0
package/dist.node/serialize/xml/types.js +31 -0
package/dist.node/serialize/xml/types.js.map +1 -0
package/dist.node/serialize/xmlBaseSerializer.js +52 -0
package/dist.node/serialize/xmlBaseSerializer.js.map +1 -0
package/dist.node/serialize/xmlSerializer.node.js +30 -0
package/dist.node/serialize/xmlSerializer.node.js.map +1 -0
package/dist.node/spdx.js +35 -0
package/dist.node/spdx.js.map +1 -0
package/dist.node/spec.js +229 -0
package/dist.node/spec.js.map +1 -0
package/dist.node/types/cpe.js +28 -0
package/dist.node/types/cpe.js.map +1 -0
package/dist.node/types/index.js +39 -0
package/dist.node/types/index.js.map +1 -0
package/dist.node/types/integer.js +36 -0
package/dist.node/types/integer.js.map +1 -0
package/dist.node/types/mimeType.js +28 -0
package/dist.node/types/mimeType.js.map +1 -0
package/dist.node/types/urn.js +28 -0
package/dist.node/types/urn.js.map +1 -0
package/dist.web/lib.dev.js +3487 -0
package/dist.web/lib.dev.js.map +1 -0
package/dist.web/lib.js +2 -0
package/dist.web/lib.js.LICENSE.txt +18 -0
package/libs/universal-node-xml/index.d.ts +33 -0
package/libs/universal-node-xml/index.js +42 -0
package/libs/universal-node-xml/stringifiers/helpers.js +17 -0
package/libs/universal-node-xml/stringifiers/xmlbuilder2.js +51 -0
package/package.json +86 -0
package/res/README.md +27 -0
package/res/bom-1.0.SNAPSHOT.xsd +247 -0
package/res/bom-1.1.SNAPSHOT.xsd +731 -0
package/res/bom-1.2-strict.SNAPSHOT.schema.json +1026 -0
package/res/bom-1.2.SNAPSHOT.schema.json +997 -0
package/res/bom-1.2.SNAPSHOT.xsd +1418 -0
package/res/bom-1.3-strict.SNAPSHOT.schema.json +1085 -0
package/res/bom-1.3.SNAPSHOT.schema.json +1054 -0
package/res/bom-1.3.SNAPSHOT.xsd +1631 -0
package/res/bom-1.4.SNAPSHOT.schema.json +1697 -0
package/res/bom-1.4.SNAPSHOT.xsd +2407 -0
package/res/jsf-0.82.SNAPSHOT.schema.json +244 -0
package/res/spdx.SNAPSHOT.schema.json +533 -0
package/res/spdx.SNAPSHOT.xsd +2639 -0
package/src/_index.node.ts +31 -0
package/src/_index.web.ts +27 -0
package/src/enums/attachmentEncoding.ts +22 -0
package/src/enums/componentScope.ts +24 -0
package/src/enums/componentType.ts +29 -0
package/src/enums/externalReferenceType.ts +37 -0
package/src/enums/hashAlogorithm.ts +33 -0
package/src/enums/index.ts +24 -0
package/src/factories/index.ts +20 -0
package/src/factories/licenseFactory.ts +62 -0
package/src/helpers/README.md +3 -0
package/src/helpers/types.ts +28 -0
package/src/models/attachment.ts +37 -0
package/src/models/bom.ts +85 -0
package/src/models/bomRef.ts +41 -0
package/src/models/component.ts +136 -0
package/src/models/externalReference.ts +48 -0
package/src/models/hash.ts +38 -0
package/src/models/index.ts +31 -0
package/src/models/license.ts +133 -0
package/src/models/metadata.ts +50 -0
package/src/models/organizationalContact.ts +49 -0
package/src/models/organizationalEntity.ts +38 -0
package/src/models/swid.ts +71 -0
package/src/models/tool.ts +58 -0
package/src/resources.node.ts +59 -0
package/src/serialize/_index.node.ts +23 -0
package/src/serialize/_index.web.ts +23 -0
package/src/serialize/baseSerializer.ts +52 -0
package/src/serialize/bomRefDiscriminator.ts +69 -0
package/src/serialize/index.ts +35 -0
package/src/serialize/json/index.ts +23 -0
package/src/serialize/json/normalize.ts +450 -0
package/src/serialize/json/types.ts +187 -0
package/src/serialize/jsonSerializer.ts +59 -0
package/src/serialize/types.ts +38 -0
package/src/serialize/xml/index.ts +23 -0
package/src/serialize/xml/normalize.ts +590 -0
package/src/serialize/xml/types.ts +112 -0
package/src/serialize/xmlBaseSerializer.ts +52 -0
package/src/serialize/xmlSerializer.node.ts +35 -0
package/src/serialize/xmlSerializer.web.ts +89 -0
package/src/spdx.ts +48 -0
package/src/spec.ts +289 -0
package/src/types/cpe.ts +33 -0
package/src/types/index.ts +23 -0
package/src/types/integer.ts +50 -0
package/src/types/mimeType.ts +31 -0
package/src/types/urn.ts +33 -0
package/tsconfig.json +108 -0
package/tsconfig.node.json +8 -0
package/tsconfig.web.json +5 -0
package/webpack.config.js +74 -0

package/src/serialize/bomRefDiscriminator.ts ADDED Viewed

@@ -0,0 +1,69 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+import { BomRef } from '../models'
+export class BomRefDiscriminator {
+  readonly #originalValues: ReadonlyMap<BomRef, string | undefined>
+  readonly #prefix: string
+  constructor (bomRefs: Iterable<BomRef>, prefix: string = 'BomRef') {
+    this.#originalValues = new Map(
+      Array.from(bomRefs).map(ref => [ref, ref.value])
+    )
+    this.#prefix = prefix
+  }
+  [Symbol.iterator] (): IterableIterator<BomRef> {
+    return this.#originalValues.keys()
+  }
+  discriminate (): void {
+    const knownRefValues = new Set<string>()
+    for (const [bomRef] of this.#originalValues) {
+      let value = bomRef.value
+      if (value === undefined || knownRefValues.has(value)) {
+        value = this.#makeUniqueId()
+        bomRef.value = value
+      }
+      knownRefValues.add(value)
+    }
+  }
+  reset (): void {
+    for (const [bomRef, originalValue] of this.#originalValues) {
+      bomRef.value = originalValue
+    }
+  }
+  /**
+   * generate a string in the format:
+   * <prefix>.<some-characters>.<some-characters>
+   */
+  #makeUniqueId (): string {
+    return `${
+      this.#prefix
+    }${
+      Math.random().toString(32).substring(1)
+    }${
+      Math.random().toString(32).substring(1)
+    }`
+  }
+}

package/src/serialize/index.ts ADDED Viewed

@@ -0,0 +1,35 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+// not everything is public, yet
+export * as Types from './types'
+export * from './baseSerializer'
+// export * from './baseDeserializer' // TODO
+export * from './bomRefDiscriminator'
+export * as JSON from './json'
+export * from './jsonSerializer'
+// export * from './jsonDeserializer' // TODO
+export * as XML from './xml'
+export * from './xmlBaseSerializer'
+// export * from './xmlBaseDeserializer' // TODO

package/src/serialize/json/index.ts ADDED Viewed

@@ -0,0 +1,23 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+export * as Types from './types'
+export * as Normalize from './normalize'
+// export * as Denormalize from './denormalize' // TODO

package/src/serialize/json/normalize.ts ADDED Viewed

@@ -0,0 +1,450 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+   http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+import { isNotUndefined, Stringable } from '../../helpers/types'
+import * as Models from '../../models'
+import { Protocol as Spec, Version as SpecVersion } from '../../spec'
+import { NormalizerOptions } from '../types'
+import { JsonSchema, Normalized } from './types'
+export class Factory {
+  readonly #spec: Spec
+  constructor (spec: Spec) {
+    this.#spec = spec
+  }
+  get spec (): Spec {
+    return this.#spec
+  }
+  makeForBom (): BomNormalizer {
+    return new BomNormalizer(this)
+  }
+  makeForMetadata (): MetadataNormalizer {
+    return new MetadataNormalizer(this)
+  }
+  makeForComponent (): ComponentNormalizer {
+    return new ComponentNormalizer(this)
+  }
+  makeForTool (): ToolNormalizer {
+    return new ToolNormalizer(this)
+  }
+  makeForOrganizationalContact (): OrganizationalContactNormalizer {
+    return new OrganizationalContactNormalizer(this)
+  }
+  makeForOrganizationalEntity (): OrganizationalEntityNormalizer {
+    return new OrganizationalEntityNormalizer(this)
+  }
+  makeForHash (): HashNormalizer {
+    return new HashNormalizer(this)
+  }
+  makeForLicense (): LicenseNormalizer {
+    return new LicenseNormalizer(this)
+  }
+  makeForSWID (): SWIDNormalizer {
+    return new SWIDNormalizer(this)
+  }
+  makeForExternalReference (): ExternalReferenceNormalizer {
+    return new ExternalReferenceNormalizer(this)
+  }
+  makeForAttachment (): AttachmentNormalizer {
+    return new AttachmentNormalizer(this)
+  }
+  makeForDependencyGraph (): DependencyGraphNormalizer {
+    return new DependencyGraphNormalizer(this)
+  }
+}
+const schemaUrl: ReadonlyMap<SpecVersion, string> = new Map([
+  [SpecVersion.v1dot2, 'http://cyclonedx.org/schema/bom-1.2b.schema.json'],
+  [SpecVersion.v1dot3, 'http://cyclonedx.org/schema/bom-1.3a.schema.json'],
+  [SpecVersion.v1dot4, 'http://cyclonedx.org/schema/bom-1.4.schema.json']
+])
+interface Normalizer {
+  normalize: (data: object, options: NormalizerOptions) => object | undefined
+  normalizeIter?: (data: Iterable<object>, options: NormalizerOptions) => object[]
+}
+abstract class Base implements Normalizer {
+  protected readonly _factory: Factory
+  constructor (factory: Factory) {
+    this._factory = factory
+  }
+  abstract normalize (data: object, options: NormalizerOptions): object | undefined
+}
+/* eslint-disable @typescript-eslint/prefer-nullish-coalescing, @typescript-eslint/strict-boolean-expressions --
+ * since empty strings need to be treated as undefined/null
+ */
+export class BomNormalizer extends Base {
+  normalize (data: Models.Bom, options: NormalizerOptions): Normalized.Bom {
+    return {
+      $schema: schemaUrl.get(this._factory.spec.version),
+      bomFormat: 'CycloneDX',
+      specVersion: this._factory.spec.version,
+      version: data.version,
+      serialNumber: data.serialNumber,
+      metadata: this._factory.makeForMetadata().normalize(data.metadata, options),
+      components: data.components.size > 0
+        ? this._factory.makeForComponent().normalizeIter(data.components, options)
+        // spec < 1.4 requires `component` to be array
+        : [],
+      dependencies: this._factory.spec.supportsDependencyGraph
+        ? this._factory.makeForDependencyGraph().normalize(data, options)
+        : undefined
+    }
+  }
+}
+export class MetadataNormalizer extends Base {
+  normalize (data: Models.Metadata, options: NormalizerOptions): Normalized.Metadata {
+    const orgEntityNormalizer = this._factory.makeForOrganizationalEntity()
+    return {
+      timestamp: data.timestamp?.toISOString(),
+      tools: data.tools.size > 0
+        ? this._factory.makeForTool().normalizeIter(data.tools, options)
+        : undefined,
+      authors: data.authors.size > 0
+        ? this._factory.makeForOrganizationalContact().normalizeIter(data.authors, options)
+        : undefined,
+      component: data.component === undefined
+        ? undefined
+        : this._factory.makeForComponent().normalize(data.component, options),
+      manufacture: data.manufacture === undefined
+        ? undefined
+        : orgEntityNormalizer.normalize(data.manufacture, options),
+      supplier: data.supplier === undefined
+        ? undefined
+        : orgEntityNormalizer.normalize(data.supplier, options)
+    }
+  }
+}
+export class ToolNormalizer extends Base {
+  normalize (data: Models.Tool, options: NormalizerOptions): Normalized.Tool {
+    return {
+      vendor: data.vendor || undefined,
+      name: data.name || undefined,
+      version: data.version || undefined,
+      hashes: data.hashes.size > 0
+        ? this._factory.makeForHash().normalizeIter(data.hashes, options)
+        : undefined,
+      externalReferences: this._factory.spec.supportsToolReferences && data.externalReferences.size > 0
+        ? this._factory.makeForExternalReference().normalizeIter(data.externalReferences, options)
+        : undefined
+    }
+  }
+  normalizeIter (data: Iterable<Models.Tool>, options: NormalizerOptions): Normalized.Tool[] {
+    const tools = Array.from(data)
+    if (options.sortLists ?? false) {
+      tools.sort(Models.ToolRepository.compareItems)
+    }
+    return tools.map(t => this.normalize(t, options))
+  }
+}
+export class HashNormalizer extends Base {
+  normalize ([algorithm, content]: Models.Hash, options: NormalizerOptions): Normalized.Hash | undefined {
+    const spec = this._factory.spec
+    return spec.supportsHashAlgorithm(algorithm) && spec.supportsHashValue(content)
+      ? {
+          alg: algorithm,
+          content: content
+        }
+      : undefined
+  }
+  normalizeIter (data: Iterable<Models.Hash>, options: NormalizerOptions): Normalized.Hash[] {
+    const hashes = Array.from(data)
+    if (options.sortLists ?? false) {
+      hashes.sort(Models.HashRepository.compareItems)
+    }
+    return hashes.map(h => this.normalize(h, options))
+      .filter(isNotUndefined)
+  }
+}
+export class OrganizationalContactNormalizer extends Base {
+  normalize (data: Models.OrganizationalContact, options: NormalizerOptions): Normalized.OrganizationalContact {
+    return {
+      name: data.name || undefined,
+      email: JsonSchema.isIdnEmail(data.email)
+        ? data.email
+        : undefined,
+      phone: data.phone || undefined
+    }
+  }
+  normalizeIter (data: Iterable<Models.OrganizationalContact>, options: NormalizerOptions): Normalized.OrganizationalContact[] {
+    const contacts = Array.from(data)
+    if (options.sortLists ?? false) {
+      contacts.sort(Models.OrganizationalContactRepository.compareItems)
+    }
+    return contacts.map(c => this.normalize(c, options))
+  }
+}
+export class OrganizationalEntityNormalizer extends Base {
+  normalize (data: Models.OrganizationalEntity, options: NormalizerOptions): Normalized.OrganizationalEntity {
+    const urls = normalizeStringableIter(data.url, options)
+      .filter(JsonSchema.isIriReference)
+    return {
+      name: data.name || undefined,
+      /** must comply to {@link https://datatracker.ietf.org/doc/html/rfc3987} */
+      url: urls.length > 0
+        ? urls
+        : undefined,
+      contact: data.contact.size > 0
+        ? this._factory.makeForOrganizationalContact().normalizeIter(data.contact, options)
+        : undefined
+    }
+  }
+}
+export class ComponentNormalizer extends Base {
+  normalize (data: Models.Component, options: NormalizerOptions): Normalized.Component | undefined {
+    return this._factory.spec.supportsComponentType(data.type)
+      ? {
+          type: data.type,
+          name: data.name,
+          group: data.group || undefined,
+          // version fallback to string for spec < 1.4
+          version: data.version || '',
+          'bom-ref': data.bomRef.value || undefined,
+          supplier: data.supplier === undefined
+            ? undefined
+            : this._factory.makeForOrganizationalEntity().normalize(data.supplier, options),
+          author: data.author || undefined,
+          publisher: data.publisher || undefined,
+          description: data.description || undefined,
+          scope: data.scope,
+          hashes: data.hashes.size > 0
+            ? this._factory.makeForHash().normalizeIter(data.hashes, options)
+            : undefined,
+          licenses: data.licenses.size > 0
+            ? this._factory.makeForLicense().normalizeIter(data.licenses, options)
+            : undefined,
+          copyright: data.copyright || undefined,
+          cpe: data.cpe || undefined,
+          purl: data.purl?.toString(),
+          swid: data.swid === undefined
+            ? undefined
+            : this._factory.makeForSWID().normalize(data.swid, options),
+          externalReferences: data.externalReferences.size > 0
+            ? this._factory.makeForExternalReference().normalizeIter(data.externalReferences, options)
+            : undefined
+        }
+      : undefined
+  }
+  normalizeIter (data: Iterable<Models.Component>, options: NormalizerOptions): Normalized.Component[] {
+    const components = Array.from(data)
+    if (options.sortLists ?? false) {
+      components.sort(Models.ComponentRepository.compareItems)
+    }
+    return components.map(c => this.normalize(c, options))
+      .filter(isNotUndefined)
+  }
+}
+export class LicenseNormalizer extends Base {
+  normalize (data: Models.License, options: NormalizerOptions): Normalized.License {
+    switch (true) {
+      case data instanceof Models.NamedLicense:
+        return this.#normalizeNamedLicense(data as Models.NamedLicense, options)
+      case data instanceof Models.SpdxLicense:
+        return this.#normalizeSpdxLicense(data as Models.SpdxLicense, options)
+      case data instanceof Models.LicenseExpression:
+        return this.#normalizeLicenseExpression(data as Models.LicenseExpression)
+      default:
+        // this case is not expected to happen - and therefore is undocumented
+        throw new TypeError('Unexpected LicenseChoice')
+    }
+  }
+  #normalizeNamedLicense (data: Models.NamedLicense, options: NormalizerOptions): Normalized.NamedLicense {
+    return {
+      license: {
+        name: data.name,
+        text: data.text === undefined
+          ? undefined
+          : this._factory.makeForAttachment().normalize(data.text, options),
+        url: data.url?.toString()
+      }
+    }
+  }
+  #normalizeSpdxLicense (data: Models.SpdxLicense, options: NormalizerOptions): Normalized.SpdxLicense {
+    return {
+      license: {
+        id: data.id,
+        text: data.text === undefined
+          ? undefined
+          : this._factory.makeForAttachment().normalize(data.text, options),
+        url: data.url?.toString()
+      }
+    }
+  }
+  #normalizeLicenseExpression (data: Models.LicenseExpression): Normalized.LicenseExpression {
+    return {
+      expression: data.expression
+    }
+  }
+  normalizeIter (data: Iterable<Models.License>, options: NormalizerOptions): Normalized.License[] {
+    const licenses = Array.from(data)
+    if (options.sortLists ?? false) {
+      licenses.sort(Models.LicenseRepository.compareItems)
+    }
+    return licenses.map(c => this.normalize(c, options))
+  }
+}
+export class SWIDNormalizer extends Base {
+  normalize (data: Models.SWID, options: NormalizerOptions): Normalized.SWID {
+    const url = data.url?.toString()
+    return {
+      tagId: data.tagId,
+      name: data.name,
+      version: data.version || undefined,
+      tagVersion: data.tagVersion,
+      patch: data.patch,
+      text: data.text === undefined
+        ? undefined
+        : this._factory.makeForAttachment().normalize(data.text, options),
+      url: JsonSchema.isIriReference(url)
+        ? url
+        : undefined
+    }
+  }
+}
+export class ExternalReferenceNormalizer extends Base {
+  normalize (data: Models.ExternalReference, options: NormalizerOptions): Normalized.ExternalReference | undefined {
+    return this._factory.spec.supportsExternalReferenceType(data.type)
+      ? {
+          url: data.url.toString(),
+          type: data.type,
+          comment: data.comment || undefined
+        }
+      : undefined
+  }
+  normalizeIter (data: Iterable<Models.ExternalReference>, options: NormalizerOptions): Normalized.ExternalReference[] {
+    const refs = Array.from(data)
+    if (options.sortLists ?? false) {
+      refs.sort(Models.ExternalReferenceRepository.compareItems)
+    }
+    return refs.map(r => this.normalize(r, options))
+      .filter(isNotUndefined)
+  }
+}
+export class AttachmentNormalizer extends Base {
+  normalize (data: Models.Attachment, options: NormalizerOptions): Normalized.Attachment {
+    return {
+      content: data.content,
+      contentType: data.contentType || undefined,
+      encoding: data.encoding
+    }
+  }
+}
+export class DependencyGraphNormalizer extends Base {
+  normalize (data: Models.Bom, options: NormalizerOptions): Normalized.Dependency[] | undefined {
+    if (!data.metadata.component?.bomRef.value) {
+      // the graph is missing the entry point -> omit the graph
+      return undefined
+    }
+    const allRefs = new Map<Models.BomRef, Models.BomRefRepository>()
+    for (const c of data.components) {
+      allRefs.set(c.bomRef, new Models.BomRefRepository(c.dependencies))
+    }
+    allRefs.set(data.metadata.component.bomRef, data.metadata.component.dependencies)
+    const normalized: Normalized.Dependency[] = []
+    for (const [ref, deps] of allRefs) {
+      const dep = this.#normalizeDependency(ref, deps, allRefs, options)
+      if (isNotUndefined(dep)) {
+        normalized.push(dep)
+      }
+    }
+    if (options.sortLists ?? false) {
+      normalized.sort(({ ref: a }, { ref: b }) => a.localeCompare(b))
+    }
+    return normalized
+  }
+  #normalizeDependency (
+    ref: Models.BomRef,
+    deps: Models.BomRefRepository,
+    allRefs: Map<Models.BomRef, Models.BomRefRepository>,
+    options: NormalizerOptions
+  ): Normalized.Dependency | undefined {
+    const bomRef = ref.toString()
+    if (bomRef.length === 0) {
+      // no value -> cannot render
+      return undefined
+    }
+    const dependsOn: string[] = normalizeStringableIter(
+      Array.from(deps).filter(d => allRefs.has(d) && d !== ref),
+      options
+    ).filter(d => d.length > 0)
+    return {
+      ref: bomRef,
+      dependsOn: dependsOn.length > 0
+        ? dependsOn
+        : undefined
+    }
+  }
+}
+/* eslint-enable @typescript-eslint/prefer-nullish-coalescing, @typescript-eslint/strict-boolean-expressions */
+function normalizeStringableIter (data: Iterable<Stringable>, options: NormalizerOptions): string[] {
+  const r: string[] = Array.from(data, d => d.toString())
+  if (options.sortLists ?? false) {
+    r.sort((a, b) => a.localeCompare(b))
+  }
+  return r
+}