npm - @cyclonedx/cyclonedx-library - Versions diffs - 1.3.0 → 1.3.3 - Mend

@cyclonedx/cyclonedx-library 1.3.0 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

package/README.md +3 -2
package/dist.node/builders/fromNodePackageJson.node.js.map +1 -1
package/dist.node/factories/license.js +2 -2
package/dist.node/factories/license.js.map +1 -1
package/dist.node/factories/packageUrl.js.map +1 -1
package/dist.node/models/attachment.js.map +1 -1
package/dist.node/models/bomRef.js +1 -1
package/dist.node/models/bomRef.js.map +1 -1
package/dist.node/models/externalReference.js.map +1 -1
package/dist.node/models/license.js.map +1 -1
package/dist.node/models/swid.js.map +1 -1
package/dist.node/serialize/baseSerializer.js +8 -3
package/dist.node/serialize/baseSerializer.js.map +1 -1
package/dist.node/serialize/json/normalize.js +3 -3
package/dist.node/serialize/json/normalize.js.map +1 -1
package/dist.node/serialize/jsonSerializer.js.map +1 -1
package/dist.node/serialize/xml/normalize.js +8 -8
package/dist.node/serialize/xml/normalize.js.map +1 -1
package/dist.node/serialize/xml/types.js +25 -3
package/dist.node/serialize/xml/types.js.map +1 -1
package/dist.node/serialize/xmlBaseSerializer.js.map +1 -1
package/dist.node/spec.js +11 -6
package/dist.node/spec.js.map +1 -1
package/dist.web/lib.dev.js +58 -26
package/dist.web/lib.dev.js.map +1 -1
package/dist.web/lib.js +1 -1
package/package.json +1 -1
package/res/README.md +1 -1
package/src/builders/fromNodePackageJson.node.ts +3 -3
package/src/factories/license.ts +2 -2
package/src/factories/packageUrl.ts +1 -1
package/src/models/attachment.ts +1 -1
package/src/models/bom.ts +1 -1
package/src/models/bomRef.ts +2 -2
package/src/models/externalReference.ts +1 -1
package/src/models/license.ts +3 -3
package/src/models/swid.ts +1 -1
package/src/serialize/baseSerializer.ts +11 -4
package/src/serialize/json/normalize.ts +11 -8
package/src/serialize/jsonSerializer.ts +1 -1
package/src/serialize/xml/normalize.ts +16 -13
package/src/serialize/xml/types.ts +36 -5
package/src/serialize/xmlBaseSerializer.ts +1 -1
package/src/spec.ts +28 -22

package/src/serialize/xml/normalize.ts CHANGED Viewed

@@ -28,7 +28,7 @@ import { treeIterator } from '../../helpers/tree'
 export class Factory {
   readonly #spec: Spec
-  constructor (spec: Spec) {
+  constructor (spec: Factory['spec']) {
     this.#spec = spec
   }
@@ -104,7 +104,7 @@ interface Normalizer {
 abstract class Base implements Normalizer {
   protected readonly _factory: Factory
-  constructor (factory: Factory) {
+  constructor (factory: Base['factory']) {
     this._factory = factory
   }
@@ -260,7 +260,8 @@ export class HashNormalizer extends Base {
       options.sortLists ?? false
         ? data.sorted()
         : Array.from(data)
-    ).map(h => this.normalize(h, options, elementName)
+    ).map(
+      h => this.normalize(h, options, elementName)
     ).filter(isNotUndefined)
   }
 }
@@ -344,18 +345,18 @@ export class ComponentNormalizer extends Base {
             .normalizeRepository(data.externalReferences, options, 'reference')
         }
       : undefined
-    const components: SimpleXml.Element | undefined = data.components.size > 0
+    const properties: SimpleXml.Element | undefined = spec.supportsProperties(data) && data.properties.size > 0
       ? {
           type: 'element',
-          name: 'components',
-          children: this.normalizeRepository(data.components, options, 'component')
+          name: 'properties',
+          children: this._factory.makeForProperty().normalizeRepository(data.properties, options, 'property')
         }
       : undefined
-    const properties: SimpleXml.Element | undefined = data.properties.size > 0
+    const components: SimpleXml.Element | undefined = data.components.size > 0
       ? {
           type: 'element',
-          name: 'properties',
-          children: this._factory.makeForProperty().normalizeRepository(data.properties, options, 'property')
+          name: 'components',
+          children: this.normalizeRepository(data.components, options, 'component')
         }
       : undefined
     return {
@@ -381,8 +382,8 @@ export class ComponentNormalizer extends Base {
         makeOptionalTextElement(data.purl, 'purl'),
         swid,
         extRefs,
-        components,
-        properties
+        properties,
+        components
       ].filter(isNotUndefined)
     }
   }
@@ -392,7 +393,8 @@ export class ComponentNormalizer extends Base {
       options.sortLists ?? false
         ? data.sorted()
         : Array.from(data)
-    ).map(c => this.normalize(c, options, elementName)
+    ).map(
+      c => this.normalize(c, options, elementName)
     ).filter(isNotUndefined)
   }
 }
@@ -510,7 +512,8 @@ export class ExternalReferenceNormalizer extends Base {
       options.sortLists ?? false
         ? data.sorted()
         : Array.from(data)
-    ).map(r => this.normalize(r, options, elementName)
+    ).map(
+      r => this.normalize(r, options, elementName)
     ).filter(isNotUndefined)
   }
 }

package/src/serialize/xml/types.ts CHANGED Viewed

@@ -20,6 +20,8 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 // eslint-disable-next-line @typescript-eslint/no-namespace
 export namespace XmlSchema {
+  const _anyUriSchemePattern = /^[a-z][a-z0-9+\-.]*$/i
   /**
    * @see isAnyURI
    */
@@ -28,13 +30,42 @@ export namespace XmlSchema {
    * Test whether format is XML::anyURI - best-effort.
    *
    * @see {@link http://www.w3.org/TR/xmlschema-2/#anyURI}
-   * @see {@link http://www.datypic.com/sc/xsd/t-xsd_anyURI.html}
+   * @see {@link https://www.w3.org/2011/04/XMLSchema/TypeLibrary-URI-RFC3986.xsd}
+   * @see {@link https://www.w3.org/2011/04/XMLSchema/TypeLibrary-IRI-RFC3987.xsd}
    */
   export function isAnyURI (value: AnyURI | any): value is AnyURI {
-    return typeof value === 'string' &&
-      value.length > 0 &&
-      Array.from(value).filter(c => c === '#').length <= 1
-    // TODO add more validation according to spec
+    if (typeof value !== 'string') {
+      // not a string
+      return false
+    }
+    if (value.length === 0) {
+      // empty string
+      return false
+    }
+    const fragmentPos = value.indexOf('#')
+    let beforeFragment: string
+    if (fragmentPos >= 0) {
+      if (value.includes('#', fragmentPos + 1)) {
+        // has a second fragment marker
+        return false
+      }
+      beforeFragment = value.slice(undefined, fragmentPos)
+    } else {
+      beforeFragment = value
+    }
+    const schemePos = beforeFragment.indexOf(':')
+    if (schemePos >= 0) {
+      if (!_anyUriSchemePattern.test(beforeFragment.slice(undefined, schemePos))) {
+        // invalid schema
+        return false
+      }
+    }
+    // @TODO add more validation according to spec
+    return true
   }
 }

package/src/serialize/xmlBaseSerializer.ts CHANGED Viewed

@@ -33,7 +33,7 @@ export abstract class XmlBaseSerializer extends BaseSerializer<SimpleXml.Element
   /**
    * @throws {UnsupportedFormatError} if {@see normalizerFactory.spec} does not support {@see Format.XML}.
    */
-  constructor (normalizerFactory: NormalizerFactory) {
+  constructor (normalizerFactory: XmlBaseSerializer['normalizerFactory']) {
     if (!normalizerFactory.spec.supportsFormat(Format.JSON)) {
       throw new UnsupportedFormatError('Spec does not support JSON format.')
     }

package/src/spec.ts CHANGED Viewed

@@ -37,28 +37,21 @@ export class UnsupportedFormatError extends Error {
 }
 export interface Protocol {
-  readonly version: Version
+  version: Version
   supportsFormat: (f: Format | any) => boolean
   supportsComponentType: (ct: ComponentType | any) => boolean
   supportsHashAlgorithm: (ha: HashAlgorithm | any) => boolean
   supportsHashValue: (hv: HashContent | any) => boolean
   supportsExternalReferenceType: (ert: ExternalReferenceType | any) => boolean
-  readonly supportsDependencyGraph: boolean
-  readonly supportsToolReferences: boolean
-  readonly requiresComponentVersion: boolean
+  supportsDependencyGraph: boolean
+  supportsToolReferences: boolean
+  requiresComponentVersion: boolean
+  supportsProperties: (model: any) => boolean
 }
 /**
- * @internal This class was never intended to be public,
- *           but it is a helper to get the exact spec-versions implemented according to {@see Protocol}.
+ * @internal This class was never intended to be public, but
+ *           it is a helper to get the exact spec-versions implemented according to {@see Protocol}.
  */
 class Spec implements Protocol {
   readonly #version: Version
@@ -70,6 +63,7 @@ class Spec implements Protocol {
   readonly #supportsDependencyGraph: boolean
   readonly #supportsToolReferences: boolean
   readonly #requiresComponentVersion: boolean
+  readonly #supportsProperties: boolean
   constructor (
     version: Version,
@@ -80,7 +74,8 @@ class Spec implements Protocol {
     externalReferenceTypes: Iterable<ExternalReferenceType>,
     supportsDependencyGraph: boolean,
     supportsToolReferences: boolean,
-    requiresComponentVersion: boolean
+    requiresComponentVersion: boolean,
+    supportsProperties: boolean
   ) {
     this.#version = version
     this.#formats = new Set(formats)
@@ -91,6 +86,7 @@ class Spec implements Protocol {
     this.#supportsDependencyGraph = supportsDependencyGraph
     this.#supportsToolReferences = supportsToolReferences
     this.#requiresComponentVersion = requiresComponentVersion
+    this.#supportsProperties = supportsProperties
   }
   get version (): Version {
@@ -129,6 +125,11 @@ class Spec implements Protocol {
   get requiresComponentVersion (): boolean {
     return this.#requiresComponentVersion
   }
+  supportsProperties (): boolean {
+    // currently a global allow/deny -- might work based on input, in the future
+    return this.#supportsProperties
+  }
 }
 /** Specification v1.2 */
@@ -182,7 +183,8 @@ export const Spec1dot2: Readonly<Protocol> = Object.freeze(new Spec(
   ],
   true,
   false,
-  true
+  true,
+  false
 ))
 /** Specification v1.3 */
@@ -236,6 +238,7 @@ export const Spec1dot3: Readonly<Protocol> = Object.freeze(new Spec(
   ],
   true,
   false,
+  true,
   true
 ))
@@ -291,11 +294,14 @@ export const Spec1dot4: Readonly<Protocol> = Object.freeze(new Spec(
   ],
   true,
   true,
-  false
+  false,
+  true
 ))
-export const SpecVersionDict = Object.freeze(Object.fromEntries([
-  [Version.v1dot2, Spec1dot2],
-  [Version.v1dot3, Spec1dot3],
-  [Version.v1dot4, Spec1dot4]
-]) as { [key in Version]?: Readonly<Protocol> })
+export const SpecVersionDict: { readonly [key in Version]?: Readonly<Protocol> } = Object.freeze(
+  Object.fromEntries([
+    [Version.v1dot2, Spec1dot2],
+    [Version.v1dot3, Spec1dot3],
+    [Version.v1dot4, Spec1dot4]
+  ])
+)