@cyclonedx/cyclonedx-library 1.0.0-beta.1

package/src/serialize/xmlBaseSerializer.ts

@@ -0,0 +1,52 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+import { Bom } from '../models'
+import { Format, UnsupportedFormatError } from '../spec'
+import { BaseSerializer } from './baseSerializer'
+import { NormalizerOptions } from './types'
+import { Factory as NormalizerFactory } from './xml/normalize'
+import { SimpleXml } from './xml/types'
+
+/**
+ * Base XML serializer.
+ */
+export abstract class XmlBaseSerializer extends BaseSerializer<SimpleXml.Element> {
+  readonly #normalizerFactory: NormalizerFactory
+
+  /**
+   * @throws {UnsupportedFormatError} if {@see normalizerFactory.spec} does not support {@see Format.XML}.
+   */
+  constructor (normalizerFactory: NormalizerFactory) {
+    if (!normalizerFactory.spec.supportsFormat(Format.JSON)) {
+      throw new UnsupportedFormatError('Spec does not support JSON format.')
+    }
+
+    super()
+    this.#normalizerFactory = normalizerFactory
+  }
+
+  protected _normalize (
+    bom: Bom,
+    options: NormalizerOptions = {}
+  ): SimpleXml.Element {
+    return this.#normalizerFactory.makeForBom()
+      .normalize(bom, options)
+  }
+}

package/src/serialize/xmlSerializer.node.ts

@@ -0,0 +1,35 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+import { SerializerOptions } from './types'
+import { XmlBaseSerializer } from './xmlBaseSerializer'
+import { SimpleXml } from './xml/types'
+import { stringifyFallback } from '../../libs/universal-node-xml'
+
+/**
+ * XML serializer for node.
+ */
+export class XmlSerializer extends XmlBaseSerializer {
+  protected _serialize (
+    normalizedBom: SimpleXml.Element,
+    options: SerializerOptions = {}
+  ): string {
+    return stringifyFallback(normalizedBom, options)
+  }
+}

package/src/serialize/xmlSerializer.web.ts

@@ -0,0 +1,89 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+import { isNotUndefined } from '../helpers/types'
+import { SerializerOptions } from './types'
+import { XmlBaseSerializer } from './xmlBaseSerializer'
+import { SimpleXml } from './xml/types'
+
+/**
+ * XML serializer for web browsers.
+ */
+export class XmlSerializer extends XmlBaseSerializer {
+  protected _serialize (
+    normalizedBom: SimpleXml.Element,
+    { space }: SerializerOptions = {}
+  ): string {
+    const doc = this.#buildXmlDocument(normalizedBom)
+    // TODO: add indention based on `space`
+    return (new XMLSerializer()).serializeToString(doc)
+  }
+
+  #buildXmlDocument (
+    normalizedBom: SimpleXml.Element
+  ): XMLDocument {
+    const namespace = null
+    const doc = document.implementation.createDocument(namespace, null)
+    doc.appendChild(this.#buildElement(normalizedBom, doc, namespace))
+    return doc
+  }
+
+  #getNS (element: SimpleXml.Element): string | null {
+    const ns = (element.namespace ?? element.attributes?.xmlns)?.toString() ?? ''
+    return ns.length > 0
+      ? ns
+      : null
+  }
+
+  #buildElement (element: SimpleXml.Element, doc: XMLDocument, parentNS: string | null): Element {
+    const ns = this.#getNS(element) ?? parentNS
+    const node: Element = doc.createElementNS(ns, element.name)
+    if (isNotUndefined(element.attributes)) {
+      this.#setAttributes(node, element.attributes)
+    }
+    if (isNotUndefined(element.children)) {
+      this.#setChildren(node, element.children, ns)
+    }
+    return node
+  }
+
+  #setAttributes (node: Element, attributes: SimpleXml.ElementAttributes): void {
+    for (const [name, value] of Object.entries(attributes)) {
+      if (isNotUndefined(value) && name !== 'xmlns') {
+        // reminder: cannot change a namespace(xmlns) after the fact.
+        node.setAttribute(name, `${value}`)
+      }
+    }
+  }
+
+  #setChildren (node: Element, children: SimpleXml.ElementChildren, parentNS: string | null = null): void {
+    if (typeof children === 'string' || typeof children === 'number') {
+      node.textContent = children.toString()
+      return
+    }
+
+    const doc = node.ownerDocument
+    for (const child of (children as Iterable<SimpleXml.Comment | SimpleXml.Element>)) {
+      if (child.type === 'element') {
+        node.appendChild(this.#buildElement(child, doc, parentNS))
+      }
+      // comments are not implemented, yet
+    }
+  }
+}

package/src/spdx.ts

@@ -0,0 +1,48 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/* eslint-disable */
+/* @ts-ignore: TS6059 -- this works as long as the file/path is available in dist-package */
+import {enum as _spdxSpecEnum} from '../res/spdx.SNAPSHOT.schema.json'
+/* eslint-enable */
+
+/**
+ * One of the known SPDX licence identifiers.
+ * @see {@link http://cyclonedx.org/schema/spdx}
+ * @see isSupportedSpdxId
+ * @see fixupSpdxId
+ */
+export type SpdxId = string
+
+const spdxIds: ReadonlySet<SpdxId> = new Set(_spdxSpecEnum)
+
+const spdxLowerToActual: ReadonlyMap<string, SpdxId> = new Map(
+  _spdxSpecEnum.map(spdxId => [spdxId.toLowerCase(), spdxId])
+)
+
+export function isSupportedSpdxId (value: SpdxId | any): value is SpdxId {
+  return spdxIds.has(value)
+}
+
+/** Try to convert a string to `SpdxId`. */
+export function fixupSpdxId (value: string | any): SpdxId | undefined {
+  return typeof value === 'string' && value.length > 0
+    ? spdxLowerToActual.get(value.toLowerCase())
+    : undefined
+}

package/src/spec.ts

@@ -0,0 +1,289 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+import { ComponentType, ExternalReferenceType, HashAlgorithm } from './enums'
+import { HashContent } from './models'
+
+export enum Version {
+  v1dot0 = '1.0',
+  v1dot1 = '1.1',
+  v1dot2 = '1.2',
+  v1dot3 = '1.3',
+  v1dot4 = '1.4',
+}
+
+export enum Format {
+  XML = 'xml',
+  JSON = 'json',
+}
+
+export class UnsupportedFormatError extends Error {
+}
+
+export interface Protocol {
+  readonly version: Version
+
+  supportsFormat: (f: Format | any) => boolean
+
+  supportsComponentType: (ct: ComponentType | any) => boolean
+
+  supportsHashAlgorithm: (ha: HashAlgorithm | any) => boolean
+
+  supportsHashValue: (hv: HashContent | any) => boolean
+
+  supportsExternalReferenceType: (ert: ExternalReferenceType | any) => boolean
+
+  readonly supportsDependencyGraph: boolean
+
+  readonly supportsToolReferences: boolean
+}
+
+/**
+ * @internal This class was never intended to be public,
+ *           but it is a helper to get the exact spec-versions implemented according to {@see Protocol}.
+ */
+class Spec implements Protocol {
+  readonly #version: Version
+  readonly #formats: ReadonlySet<Format>
+  readonly #componentTypes: ReadonlySet<ComponentType>
+  readonly #hashAlgorithms: ReadonlySet<HashAlgorithm>
+  readonly #hashValuePattern: RegExp
+  readonly #externalReferenceTypes: ReadonlySet<ExternalReferenceType>
+  readonly #supportsDependencyGraph: boolean
+  readonly #supportsToolReferences: boolean
+
+  constructor (
+    version: Version,
+    formats: Iterable<Format>,
+    componentTypes: Iterable<ComponentType>,
+    hashAlgorithms: Iterable<HashAlgorithm>,
+    hashValuePattern: RegExp,
+    externalReferenceTypes: Iterable<ExternalReferenceType>,
+    supportsDependencyGraph: boolean,
+    supportsToolReferences: boolean
+  ) {
+    this.#version = version
+    this.#formats = new Set(formats)
+    this.#componentTypes = new Set(componentTypes)
+    this.#hashAlgorithms = new Set(hashAlgorithms)
+    this.#hashValuePattern = hashValuePattern
+    this.#externalReferenceTypes = new Set(externalReferenceTypes)
+    this.#supportsDependencyGraph = supportsDependencyGraph
+    this.#supportsToolReferences = supportsToolReferences
+  }
+
+  get version (): Version {
+    return this.#version
+  }
+
+  supportsFormat (f: Format | any): boolean {
+    return this.#formats.has(f)
+  }
+
+  supportsComponentType (ct: ComponentType | any): boolean {
+    return this.#componentTypes.has(ct)
+  }
+
+  supportsHashAlgorithm (ha: HashAlgorithm | any): boolean {
+    return this.#hashAlgorithms.has(ha)
+  }
+
+  supportsHashValue (hv: HashContent | any): boolean {
+    return typeof hv === 'string' &&
+      this.#hashValuePattern.test(hv)
+  }
+
+  supportsExternalReferenceType (ert: ExternalReferenceType | any): boolean {
+    return this.#externalReferenceTypes.has(ert)
+  }
+
+  get supportsDependencyGraph (): boolean {
+    return this.#supportsDependencyGraph
+  }
+
+  get supportsToolReferences (): boolean {
+    return this.#supportsToolReferences
+  }
+}
+
+/** Specification v1.2 */
+export const Spec1dot2: Readonly<Protocol> = Object.freeze(new Spec(
+  Version.v1dot2,
+  [
+    Format.XML,
+    Format.JSON
+  ],
+  [
+    ComponentType.Application,
+    ComponentType.Framework,
+    ComponentType.Library,
+    ComponentType.Container,
+    ComponentType.OperatingSystem,
+    ComponentType.Device,
+    ComponentType.Firmware,
+    ComponentType.File
+  ],
+  [
+    HashAlgorithm.MD5,
+    HashAlgorithm['SHA-1'],
+    HashAlgorithm['SHA-256'],
+    HashAlgorithm['SHA-384'],
+    HashAlgorithm['SHA-512'],
+    HashAlgorithm['SHA3-256'],
+    HashAlgorithm['SHA3-384'],
+    HashAlgorithm['SHA3-512'],
+    HashAlgorithm['BLAKE2b-256'],
+    HashAlgorithm['BLAKE2b-384'],
+    HashAlgorithm['BLAKE2b-512'],
+    HashAlgorithm.BLAKE3
+  ],
+  /^([a-fA-F0-9]{32})$|^([a-fA-F0-9]{40})$|^([a-fA-F0-9]{64})$|^([a-fA-F0-9]{96})$|^([a-fA-F0-9]{128})$/,
+  [
+    ExternalReferenceType.VCS,
+    ExternalReferenceType.IssueTracker,
+    ExternalReferenceType.Website,
+    ExternalReferenceType.Advisories,
+    ExternalReferenceType.BOM,
+    ExternalReferenceType.MailingList,
+    ExternalReferenceType.Social,
+    ExternalReferenceType.Chat,
+    ExternalReferenceType.Documentation,
+    ExternalReferenceType.Support,
+    ExternalReferenceType.Distribution,
+    ExternalReferenceType.License,
+    ExternalReferenceType.BuildMeta,
+    ExternalReferenceType.BuildSystem,
+    ExternalReferenceType.Other
+  ],
+  true,
+  false
+))
+
+/** Specification v1.3 */
+export const Spec1dot3: Readonly<Protocol> = Object.freeze(new Spec(
+  Version.v1dot3,
+  [
+    Format.XML,
+    Format.JSON
+  ],
+  [
+    ComponentType.Application,
+    ComponentType.Framework,
+    ComponentType.Library,
+    ComponentType.Container,
+    ComponentType.OperatingSystem,
+    ComponentType.Device,
+    ComponentType.Firmware,
+    ComponentType.File
+  ],
+  [
+    HashAlgorithm.MD5,
+    HashAlgorithm['SHA-1'],
+    HashAlgorithm['SHA-256'],
+    HashAlgorithm['SHA-384'],
+    HashAlgorithm['SHA-512'],
+    HashAlgorithm['SHA3-256'],
+    HashAlgorithm['SHA3-384'],
+    HashAlgorithm['SHA3-512'],
+    HashAlgorithm['BLAKE2b-256'],
+    HashAlgorithm['BLAKE2b-384'],
+    HashAlgorithm['BLAKE2b-512'],
+    HashAlgorithm.BLAKE3
+  ],
+  /^([a-fA-F0-9]{32})$|^([a-fA-F0-9]{40})$|^([a-fA-F0-9]{64})$|^([a-fA-F0-9]{96})$|^([a-fA-F0-9]{128})$/,
+  [
+    ExternalReferenceType.VCS,
+    ExternalReferenceType.IssueTracker,
+    ExternalReferenceType.Website,
+    ExternalReferenceType.Advisories,
+    ExternalReferenceType.BOM,
+    ExternalReferenceType.MailingList,
+    ExternalReferenceType.Social,
+    ExternalReferenceType.Chat,
+    ExternalReferenceType.Documentation,
+    ExternalReferenceType.Support,
+    ExternalReferenceType.Distribution,
+    ExternalReferenceType.License,
+    ExternalReferenceType.BuildMeta,
+    ExternalReferenceType.BuildSystem,
+    ExternalReferenceType.Other
+  ],
+  true,
+  false
+))
+
+/** Specification v1.4 */
+export const Spec1dot4: Readonly<Protocol> = Object.freeze(new Spec(
+  Version.v1dot4,
+  [
+    Format.XML,
+    Format.JSON
+  ],
+  [
+    ComponentType.Application,
+    ComponentType.Framework,
+    ComponentType.Library,
+    ComponentType.Container,
+    ComponentType.OperatingSystem,
+    ComponentType.Device,
+    ComponentType.Firmware,
+    ComponentType.File
+  ],
+  [
+    HashAlgorithm.MD5,
+    HashAlgorithm['SHA-1'],
+    HashAlgorithm['SHA-256'],
+    HashAlgorithm['SHA-384'],
+    HashAlgorithm['SHA-512'],
+    HashAlgorithm['SHA3-256'],
+    HashAlgorithm['SHA3-384'],
+    HashAlgorithm['SHA3-512'],
+    HashAlgorithm['BLAKE2b-256'],
+    HashAlgorithm['BLAKE2b-384'],
+    HashAlgorithm['BLAKE2b-512'],
+    HashAlgorithm.BLAKE3
+  ],
+  /^([a-fA-F0-9]{32})$|^([a-fA-F0-9]{40})$|^([a-fA-F0-9]{64})$|^([a-fA-F0-9]{96})$|^([a-fA-F0-9]{128})$/,
+  [
+    ExternalReferenceType.VCS,
+    ExternalReferenceType.IssueTracker,
+    ExternalReferenceType.Website,
+    ExternalReferenceType.Advisories,
+    ExternalReferenceType.BOM,
+    ExternalReferenceType.MailingList,
+    ExternalReferenceType.Social,
+    ExternalReferenceType.Chat,
+    ExternalReferenceType.Documentation,
+    ExternalReferenceType.Support,
+    ExternalReferenceType.Distribution,
+    ExternalReferenceType.License,
+    ExternalReferenceType.BuildMeta,
+    ExternalReferenceType.BuildSystem,
+    ExternalReferenceType.ReleaseNotes,
+    ExternalReferenceType.Other
+  ],
+  true,
+  true
+))
+
+export const SpecVersionDict = Object.freeze(Object.fromEntries([
+  [Version.v1dot2, Spec1dot2],
+  [Version.v1dot3, Spec1dot3],
+  [Version.v1dot4, Spec1dot4]
+]) as { [key in Version]?: Readonly<Protocol> })

package/src/types/cpe.ts

@@ -0,0 +1,33 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * Define the format for acceptable CPE URIs. Supports CPE 2.2 and CPE 2.3 formats.
+ * Refer to {@link https://nvd.nist.gov/products/cpe} for official specification.
+ * @see isCPE
+ */
+export type CPE = string
+
+/* eslint-disable-next-line no-useless-escape -- value directly from XML or JSON spec, surrounded with ^$ */
+const cpePattern = /^([c][pP][eE]:\/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})$|^(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,\/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#$$%&'\(\)\+,\/:;<=>@\[\]\^`\{\|}~]))+(\?*|\*?))|[\*\-])){4})$/
+
+export function isCPE (value: any): value is CPE {
+  return typeof value === 'string' &&
+        cpePattern.test(value)
+}

package/src/types/index.ts

@@ -0,0 +1,23 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export * from './cpe'
+export * from './integer'
+export * from './mimeType'
+export * from './urn'

package/src/types/integer.ts

@@ -0,0 +1,50 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * Integer
+ * @see isInteger
+ */
+export type Integer = number | NonNegativeInteger
+
+export function isInteger (value: any): value is Integer {
+  return Number.isInteger(value)
+}
+
+/**
+ * Integer >= 0
+ * @see isNonNegativeInteger
+ */
+export type NonNegativeInteger = number | PositiveInteger
+
+export function isNonNegativeInteger (value: any): value is NonNegativeInteger {
+  return isInteger(value) &&
+    value >= 0
+}
+
+/**
+ * Integer > 0
+ * @see isPositiveInteger
+ */
+export type PositiveInteger = number
+
+export function isPositiveInteger (value: any): value is PositiveInteger {
+  return isInteger(value) &&
+        value > 0
+}

package/src/types/mimeType.ts

@@ -0,0 +1,31 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * @see isMimeType
+ */
+export type MimeType = string
+
+/* regular expression was taken from the CycloneDX schema definitions. */
+const mimeTypePattern = /^[-+a-z0-9.]+\/[-+a-z0-9.]+$/
+
+export function isMimeType (value: any): value is MimeType {
+  return typeof value === 'string' &&
+        mimeTypePattern.test(value)
+}

package/src/types/urn.ts

@@ -0,0 +1,33 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * Defines a string representation of a UUID conforming to RFC 4122.
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc4122}
+ * @see isUrnUuid
+ */
+export type UrnUuid = string
+
+/* regular expression was taken from the CycloneDX schema definitions. */
+const urnUuidPattern = /^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/
+
+export function isUrnUuid (value: any): value is UrnUuid {
+  return typeof value === 'string' &&
+       urnUuidPattern.test(value)
+}