npm - @cyclonedx/cyclonedx-library - Versions diffs - 2.0.0 → 3.0.0 - Mend

@cyclonedx/cyclonedx-library 2.0.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/README.md +3 -2
package/dist.d/enums/componentType.d.ts +5 -1
package/dist.d/enums/componentType.d.ts.map +1 -1
package/dist.d/enums/externalReferenceType.d.ts +23 -0
package/dist.d/enums/externalReferenceType.d.ts.map +1 -1
package/dist.d/enums/vulnerability/ratingMethod.d.ts +9 -4
package/dist.d/enums/vulnerability/ratingMethod.d.ts.map +1 -1
package/dist.d/models/bomLink.d.ts +66 -0
package/dist.d/models/bomLink.d.ts.map +1 -0
package/dist.d/models/bomRef.d.ts +4 -2
package/dist.d/models/bomRef.d.ts.map +1 -1
package/dist.d/models/externalReference.d.ts +2 -1
package/dist.d/models/externalReference.d.ts.map +1 -1
package/dist.d/models/index.d.ts +1 -0
package/dist.d/models/index.d.ts.map +1 -1
package/dist.d/models/vulnerability/affect.d.ts +3 -2
package/dist.d/models/vulnerability/affect.d.ts.map +1 -1
package/dist.d/serialize/json/normalize.d.ts.map +1 -1
package/dist.d/serialize/json/types.d.ts +9 -5
package/dist.d/serialize/json/types.d.ts.map +1 -1
package/dist.d/serialize/xml/normalize.d.ts +9 -9
package/dist.d/serialize/xml/normalize.d.ts.map +1 -1
package/dist.d/spec.d.ts +9 -5
package/dist.d/spec.d.ts.map +1 -1
package/dist.d/types/integer.d.ts +2 -2
package/dist.node/_helpers/packageUrl.js +1 -1
package/dist.node/_helpers/packageUrl.js.map +1 -1
package/dist.node/enums/attachmentEncoding.js +1 -1
package/dist.node/enums/attachmentEncoding.js.map +1 -1
package/dist.node/enums/componentScope.js +1 -1
package/dist.node/enums/componentScope.js.map +1 -1
package/dist.node/enums/componentType.js +5 -1
package/dist.node/enums/componentType.js.map +1 -1
package/dist.node/enums/externalReferenceType.js +24 -1
package/dist.node/enums/externalReferenceType.js.map +1 -1
package/dist.node/enums/hashAlogorithm.js +1 -1
package/dist.node/enums/hashAlogorithm.js.map +1 -1
package/dist.node/enums/vulnerability/affectStatus.js +1 -1
package/dist.node/enums/vulnerability/affectStatus.js.map +1 -1
package/dist.node/enums/vulnerability/analysisJustification.js +1 -1
package/dist.node/enums/vulnerability/analysisJustification.js.map +1 -1
package/dist.node/enums/vulnerability/analysisResponse.js +1 -1
package/dist.node/enums/vulnerability/analysisResponse.js.map +1 -1
package/dist.node/enums/vulnerability/analysisState.js +1 -1
package/dist.node/enums/vulnerability/analysisState.js.map +1 -1
package/dist.node/enums/vulnerability/ratingMethod.js +3 -1
package/dist.node/enums/vulnerability/ratingMethod.js.map +1 -1
package/dist.node/enums/vulnerability/severity.js +1 -1
package/dist.node/enums/vulnerability/severity.js.map +1 -1
package/dist.node/models/bomLink.js +80 -0
package/dist.node/models/bomLink.js.map +1 -0
package/dist.node/models/bomRef.js.map +1 -1
package/dist.node/models/externalReference.js.map +1 -1
package/dist.node/models/index.js +1 -0
package/dist.node/models/index.js.map +1 -1
package/dist.node/models/vulnerability/affect.js.map +1 -1
package/dist.node/resources.node.js +15 -12
package/dist.node/resources.node.js.map +1 -1
package/dist.node/serialize/json/normalize.js +6 -3
package/dist.node/serialize/json/normalize.js.map +1 -1
package/dist.node/serialize/json/types.js +1 -1
package/dist.node/serialize/json/types.js.map +1 -1
package/dist.node/serialize/xml/normalize.js +18 -4
package/dist.node/serialize/xml/normalize.js.map +1 -1
package/dist.node/serialize/xml/types.js +1 -1
package/dist.node/serialize/xml/types.js.map +1 -1
package/dist.node/spec.js +106 -15
package/dist.node/spec.js.map +1 -1
package/dist.web/lib.dev.js +264 -37
package/dist.web/lib.dev.js.map +1 -1
package/dist.web/lib.js +1 -1
package/dist.web/lib.js.map +1 -1
package/libs/universal-node-xml/stringifiers/xmlbuilder2.js +1 -1
package/package.json +9 -9
package/res/schema/README.md +14 -11
package/res/schema/bom-1.1.SNAPSHOT.xsd +8 -1
package/res/schema/bom-1.2-strict.SNAPSHOT.schema.json +8 -5
package/res/schema/bom-1.2.SNAPSHOT.schema.json +8 -4
package/res/schema/bom-1.2.SNAPSHOT.xsd +10 -3
package/res/schema/bom-1.3-strict.SNAPSHOT.schema.json +8 -4
package/res/schema/bom-1.3.SNAPSHOT.schema.json +8 -4
package/res/schema/bom-1.3.SNAPSHOT.xsd +14 -5
package/res/schema/bom-1.4.SNAPSHOT.schema.json +2 -2
package/res/schema/bom-1.4.SNAPSHOT.xsd +4 -2
package/res/schema/bom-1.5.SNAPSHOT.schema.json +3799 -0
package/res/schema/bom-1.5.SNAPSHOT.xsd +5464 -0
package/res/schema/jsf-0.82.SNAPSHOT.schema.json +0 -4
package/res/schema/spdx.SNAPSHOT.schema.json +569 -486
package/res/schema/spdx.SNAPSHOT.xsd +1468 -1053
package/src/enums/componentType.ts +4 -0
package/src/enums/externalReferenceType.ts +23 -0
package/src/enums/vulnerability/ratingMethod.ts +9 -4
package/src/models/bomLink.ts +111 -0
package/src/models/bomRef.ts +5 -2
package/src/models/externalReference.ts +2 -1
package/src/models/index.ts +1 -0
package/src/models/vulnerability/affect.ts +3 -2
package/src/resources.node.ts +20 -17
package/src/serialize/json/normalize.ts +6 -3
package/src/serialize/json/types.ts +10 -5
package/src/serialize/xml/normalize.ts +17 -12
package/src/spec.ts +121 -7
package/src/types/integer.ts +2 -2

package/src/spec.ts CHANGED Viewed

@@ -17,15 +17,16 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
-import { ComponentType, ExternalReferenceType, HashAlgorithm } from './enums'
+import { ComponentType, ExternalReferenceType, HashAlgorithm, Vulnerability } from './enums'
 import type { HashContent } from './models'
 export enum Version {
-  v1dot0 = '1.0',
-  v1dot1 = '1.1',
-  v1dot2 = '1.2',
-  v1dot3 = '1.3',
+  v1dot5 = '1.5',
   v1dot4 = '1.4',
+  v1dot3 = '1.3',
+  v1dot2 = '1.2',
+  v1dot1 = '1.1',
+  v1dot0 = '1.0',
 }
 export enum Format {
@@ -48,6 +49,7 @@ export interface Protocol {
   requiresComponentVersion: boolean
   supportsProperties: (model: any) => boolean
   supportsVulnerabilities: boolean
+  supportsVulnerabilityRatingMethod: (rm: Vulnerability.RatingMethod | any) => boolean
   supportsComponentEvidence: boolean
 }
@@ -62,6 +64,7 @@ class Spec implements Protocol {
   readonly #hashAlgorithms: ReadonlySet<HashAlgorithm>
   readonly #hashValuePattern: RegExp
   readonly #externalReferenceTypes: ReadonlySet<ExternalReferenceType>
+  readonly #vulnerabilityRatingMethods: ReadonlySet<Vulnerability.RatingMethod>
   readonly #supportsDependencyGraph: boolean
   readonly #supportsToolReferences: boolean
   readonly #requiresComponentVersion: boolean
@@ -81,6 +84,7 @@ class Spec implements Protocol {
     requiresComponentVersion: boolean,
     supportsProperties: boolean,
     supportsVulnerabilities: boolean,
+    vulnerabilityRatingMethods: Iterable<Vulnerability.RatingMethod>,
     supportsComponentEvidence: boolean
   ) {
     this.#version = version
@@ -94,6 +98,7 @@ class Spec implements Protocol {
     this.#requiresComponentVersion = requiresComponentVersion
     this.#supportsProperties = supportsProperties
     this.#supportsVulnerabilities = supportsVulnerabilities
+    this.#vulnerabilityRatingMethods = new Set(vulnerabilityRatingMethods)
     this.#supportsComponentEvidence = supportsComponentEvidence
   }
@@ -143,6 +148,10 @@ class Spec implements Protocol {
     return this.#supportsVulnerabilities
   }
+  supportsVulnerabilityRatingMethod (rm: Vulnerability.RatingMethod | any): boolean {
+    return this.#vulnerabilityRatingMethods.has(rm)
+  }
   get supportsComponentEvidence (): boolean {
     return this.#supportsComponentEvidence
   }
@@ -202,6 +211,7 @@ export const Spec1dot2: Readonly<Protocol> = Object.freeze(new Spec(
   true,
   false,
   false,
+  [],
   false
 ))
@@ -259,6 +269,7 @@ export const Spec1dot3: Readonly<Protocol> = Object.freeze(new Spec(
   true,
   true,
   false,
+  [],
   true
 ))
@@ -317,11 +328,114 @@ export const Spec1dot4: Readonly<Protocol> = Object.freeze(new Spec(
   false,
   true,
   true,
+  [
+    Vulnerability.RatingMethod.CVSSv2,
+    Vulnerability.RatingMethod.CVSSv3,
+    Vulnerability.RatingMethod.CVSSv31,
+    Vulnerability.RatingMethod.OWASP,
+    Vulnerability.RatingMethod.Other
+  ],
+  true
+))
+/** Specification v1.5 */
+export const Spec1dot5: Readonly<Protocol> = Object.freeze(new Spec(
+  Version.v1dot5,
+  [
+    Format.XML,
+    Format.JSON
+  ],
+  [
+    ComponentType.Application,
+    ComponentType.Framework,
+    ComponentType.Library,
+    ComponentType.Container,
+    ComponentType.Platform,
+    ComponentType.OperatingSystem,
+    ComponentType.Device,
+    ComponentType.DeviceDriver,
+    ComponentType.Firmware,
+    ComponentType.File,
+    ComponentType.MachineLearningModel,
+    ComponentType.Data
+  ],
+  [
+    HashAlgorithm.MD5,
+    HashAlgorithm['SHA-1'],
+    HashAlgorithm['SHA-256'],
+    HashAlgorithm['SHA-384'],
+    HashAlgorithm['SHA-512'],
+    HashAlgorithm['SHA3-256'],
+    HashAlgorithm['SHA3-384'],
+    HashAlgorithm['SHA3-512'],
+    HashAlgorithm['BLAKE2b-256'],
+    HashAlgorithm['BLAKE2b-384'],
+    HashAlgorithm['BLAKE2b-512'],
+    HashAlgorithm.BLAKE3
+  ],
+  /^([a-fA-F0-9]{32})$|^([a-fA-F0-9]{40})$|^([a-fA-F0-9]{64})$|^([a-fA-F0-9]{96})$|^([a-fA-F0-9]{128})$/,
+  [
+    ExternalReferenceType.VCS,
+    ExternalReferenceType.IssueTracker,
+    ExternalReferenceType.Website,
+    ExternalReferenceType.Advisories,
+    ExternalReferenceType.BOM,
+    ExternalReferenceType.MailingList,
+    ExternalReferenceType.Social,
+    ExternalReferenceType.Chat,
+    ExternalReferenceType.Documentation,
+    ExternalReferenceType.Support,
+    ExternalReferenceType.Distribution,
+    ExternalReferenceType.DistributionIntake,
+    ExternalReferenceType.License,
+    ExternalReferenceType.BuildMeta,
+    ExternalReferenceType.BuildSystem,
+    ExternalReferenceType.ReleaseNotes,
+    ExternalReferenceType.SecurityContact,
+    ExternalReferenceType.ModelCard,
+    ExternalReferenceType.Log,
+    ExternalReferenceType.Configuration,
+    ExternalReferenceType.Evidence,
+    ExternalReferenceType.Formulation,
+    ExternalReferenceType.Attestation,
+    ExternalReferenceType.ThreatModel,
+    ExternalReferenceType.AdversaryModel,
+    ExternalReferenceType.RiskAssessment,
+    ExternalReferenceType.VulnerabilityAssertion,
+    ExternalReferenceType.ExploitabilityStatement,
+    ExternalReferenceType.PentestReport,
+    ExternalReferenceType.StaticAnalysisReport,
+    ExternalReferenceType.DynamicAnalysisReport,
+    ExternalReferenceType.RuntimeAnalysisReport,
+    ExternalReferenceType.ComponentAnalysisReport,
+    ExternalReferenceType.MaturityReport,
+    ExternalReferenceType.CertificationReport,
+    ExternalReferenceType.CodifiedInfrastructure,
+    ExternalReferenceType.QualityMetrics,
+    ExternalReferenceType.POAM,
+    ExternalReferenceType.Other
+  ],
+  true,
+  true,
+  false,
+  true,
+  true,
+  [
+    Vulnerability.RatingMethod.CVSSv2,
+    Vulnerability.RatingMethod.CVSSv3,
+    Vulnerability.RatingMethod.CVSSv31,
+    Vulnerability.RatingMethod.CVSSv4,
+    Vulnerability.RatingMethod.OWASP,
+    Vulnerability.RatingMethod.SSVC,
+    Vulnerability.RatingMethod.Other
+  ],
   true
 ))
 export const SpecVersionDict: Readonly<Partial<Record<Version, Readonly<Protocol>>>> = Object.freeze({
-  [Version.v1dot2]: Spec1dot2,
+  [Version.v1dot5]: Spec1dot5,
+  [Version.v1dot4]: Spec1dot4,
   [Version.v1dot3]: Spec1dot3,
-  [Version.v1dot4]: Spec1dot4
+  [Version.v1dot2]: Spec1dot2
+  // <= v1.1 is not implemented
 })

package/src/types/integer.ts CHANGED Viewed

@@ -29,7 +29,7 @@ export function isInteger (value: any): value is Integer {
 }
 /**
- * Integer greater than 0
+ * Integer greater than or equal to `0`
  *
  * @see {@link isNonNegativeInteger}
  */
@@ -41,7 +41,7 @@ export function isNonNegativeInteger (value: any): value is NonNegativeInteger {
 }
 /**
- * Integer greater 0
+ * Integer greater `0`
  *
  * @see {@link isPositiveInteger}
  */