@cyclonedx/cyclonedx-library 6.1.2 → 6.2.0

package/libs/universal-node-xml/stringifiers/xmlbuilder2.js

@@ -38,14 +38,14 @@ module.exports = typeof create === 'function'
 /* eslint-enable jsdoc/valid-types */
 
 /**
- * @param {Element} element
+ * @param {Element} rootElement
  * @param {string|number|undefined} [space]
  * @return {string}
  */
-function stringify (element, { space } = {}) {
+function stringify (rootElement, { space } = {}) {
   const indent = makeIndent(space)
   const doc = create({ encoding: 'UTF-8' })
-  addEle(doc, element)
+  addEle(doc, rootElement)
   return doc.end({
     format: 'xml',
     newline: '\n',
@@ -63,9 +63,11 @@ function addEle (parent, element, parentNS = null) {
   if (element.type !== 'element') { return }
   const ns = getNS(element) ?? parentNS
   const ele = parent.ele(ns, element.name, element.attributes)
-  if (typeof element.children === 'string' || typeof element.children === 'number') {
+  if (element.children === undefined) {
+    /* pass */
+  } else if (typeof element.children === 'string' || typeof element.children === 'number') {
     ele.txt(element.children.toString())
-  } else if (Array.isArray(element.children)) {
+  } else {
     for (const child of element.children) {
       addEle(ele, child, ns)
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cyclonedx-library",
-  "version": "6.1.2",
+  "version": "6.2.0",
   "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).",
   "license": "Apache-2.0",
   "keywords": [
@@ -84,7 +84,7 @@
     "deepmerge": "^4.2.2",
     "eslint": "8.55.0",
     "eslint-config-standard": "17.1.0",
-    "eslint-config-standard-with-typescript": "40.0.0",
+    "eslint-config-standard-with-typescript": "42.0.0",
     "eslint-plugin-header": "3.1.1",
     "eslint-plugin-jsdoc": "46.9.0",
     "eslint-plugin-simple-import-sort": "10.0.0",
@@ -95,7 +95,7 @@
     "ts-loader": "9.5.1",
     "typedoc": "^0.25.0",
     "typedoc-plugin-missing-exports": "^2.0.1",
-    "typescript": "5.3.2",
+    "typescript": "5.3.3",
     "webpack": "5.89.0",
     "webpack-cli": "5.1.4",
     "webpack-node-externals": "3.0.0"

package/src/_helpers/uri.ts

@@ -0,0 +1,51 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+const escapeMap: Readonly<Record<string, string>> = Object.freeze({
+  ' ': '%20',
+  '[': '%5B',
+  ']': '%5D',
+  '<': '%3C',
+  '>': '%3E',
+  '{': '%7B',
+  '}': '%7D'
+})
+
+/**
+ * Make a string valid to
+ * - XML::anyURI spec.
+ * - JSON::iri-reference spec.
+ *
+ * BEST EFFORT IMPLEMENTATION
+ *
+ * @see http://www.w3.org/TR/xmlschema-2/#anyURI
+ * @see http://www.datypic.com/sc/xsd/t-xsd_anyURI.html
+ * @see https://datatracker.ietf.org/doc/html/rfc2396
+ * @see https://datatracker.ietf.org/doc/html/rfc3987
+ */
+export function escapeUri<T extends (string | undefined)> (value: T): T {
+  if (value === undefined) {
+    return value
+  }
+  for (const [s, r] of Object.entries(escapeMap)) {
+    /* @ts-expect-error -- TS does not properly detect that value is to be forced as string, here */
+    value = value.replace(s, r)
+  }
+  return value
+}

package/src/serialize/bomRefDiscriminator.ts

@@ -20,14 +20,12 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 import type { BomRef } from '../models'
 
 export class BomRefDiscriminator {
-  readonly #originalValues: ReadonlyMap<BomRef, string | undefined>
+  readonly #originalValues: ReadonlyArray<readonly [BomRef, string | undefined]>
 
   readonly #prefix: string
 
   constructor (bomRefs: Iterable<BomRef>, prefix: string = 'BomRef') {
-    this.#originalValues = new Map(
-      Array.from(bomRefs, r => [r, r.value])
-    )
+    this.#originalValues = Array.from(bomRefs, r => [r, r.value])
     this.#prefix = prefix
   }
 
@@ -35,9 +33,11 @@ export class BomRefDiscriminator {
     return this.#prefix
   }
 
-  /** Iterate over the bomRefs. */
-  [Symbol.iterator] (): IterableIterator<BomRef> {
-    return this.#originalValues.keys()
+  /** Iterate over the {@link BomRef}s. */
+  * [Symbol.iterator] (): IterableIterator<BomRef> {
+    for (const [bomRef] of this.#originalValues) {
+      yield bomRef
+    }
   }
 
   discriminate (): void {

package/src/serialize/json/normalize.ts

@@ -21,6 +21,7 @@ import { isNotUndefined } from '../../_helpers/notUndefined'
 import type { SortableIterable } from '../../_helpers/sortable'
 import type { Stringable } from '../../_helpers/stringable'
 import { treeIteratorSymbol } from '../../_helpers/tree'
+import { escapeUri } from '../../_helpers/uri'
 import * as Models from '../../models'
 import { isSupportedSpdxId } from '../../spdx'
 import { Version as SpecVersion } from '../../spec'
@@ -311,8 +312,10 @@ export class OrganizationalContactNormalizer extends BaseJsonNormalizer<Models.O
 
 export class OrganizationalEntityNormalizer extends BaseJsonNormalizer<Models.OrganizationalEntity> {
   normalize (data: Models.OrganizationalEntity, options: NormalizerOptions): Normalized.OrganizationalEntity {
-    const urls = normalizeStringableIter(data.url, options)
-      .filter(JsonSchema.isIriReference)
+    const urls = normalizeStringableIter(
+      Array.from(data.url, (s) => escapeUri(s.toString())),
+      options
+    ).filter(JsonSchema.isIriReference)
     return {
       name: data.name || undefined,
       url: urls.length > 0
@@ -438,7 +441,7 @@ export class LicenseNormalizer extends BaseJsonNormalizer<Models.License> {
   }
 
   #normalizeNamedLicense (data: Models.NamedLicense, options: NormalizerOptions): Normalized.NamedLicense {
-    const url = data.url?.toString()
+    const url = escapeUri(data.url?.toString())
     return {
       license: {
         name: data.name,
@@ -453,13 +456,16 @@ export class LicenseNormalizer extends BaseJsonNormalizer<Models.License> {
   }
 
   #normalizeSpdxLicense (data: Models.SpdxLicense, options: NormalizerOptions): Normalized.SpdxLicense {
+    const url = escapeUri(data.url?.toString())
     return {
       license: {
         id: data.id,
         text: data.text === undefined
           ? undefined
           : this._factory.makeForAttachment().normalize(data.text, options),
-        url: data.url?.toString()
+        url: JsonSchema.isIriReference(url)
+          ? url
+          : undefined
       }
     }
   }
@@ -493,7 +499,7 @@ export class LicenseNormalizer extends BaseJsonNormalizer<Models.License> {
 
 export class SWIDNormalizer extends BaseJsonNormalizer<Models.SWID> {
   normalize (data: Models.SWID, options: NormalizerOptions): Normalized.SWID {
-    const url = data.url?.toString()
+    const url = escapeUri(data.url?.toString())
     return {
       tagId: data.tagId,
       name: data.name,
@@ -514,7 +520,7 @@ export class ExternalReferenceNormalizer extends BaseJsonNormalizer<Models.Exter
   normalize (data: Models.ExternalReference, options: NormalizerOptions): Normalized.ExternalReference | undefined {
     return this._factory.spec.supportsExternalReferenceType(data.type)
       ? {
-          url: data.url.toString(),
+          url: escapeUri(data.url.toString()),
           type: data.type,
           hashes: this._factory.spec.supportsExternalReferenceHashes && data.hashes.size > 0
             ? this._factory.makeForHash().normalizeIterable(data.hashes, options)
@@ -726,7 +732,7 @@ export class VulnerabilityRatingNormalizer extends BaseJsonNormalizer<Models.Vul
 
 export class VulnerabilityAdvisoryNormalizer extends BaseJsonNormalizer<Models.Vulnerability.Advisory> {
   normalize (data: Models.Vulnerability.Advisory, options: NormalizerOptions): Normalized.Vulnerability.Advisory | undefined {
-    const url = data.url.toString()
+    const url = escapeUri(data.url.toString())
     if (!JsonSchema.isIriReference(url)) {
       // invalid value -> cannot render
       return undefined

package/src/serialize/xml/normalize.ts

@@ -21,6 +21,7 @@ import { isNotUndefined } from '../../_helpers/notUndefined'
 import type { SortableIterable } from '../../_helpers/sortable'
 import type { Stringable } from '../../_helpers/stringable'
 import { treeIteratorSymbol } from '../../_helpers/tree'
+import { escapeUri } from '../../_helpers/uri'
 import * as Models from '../../models'
 import { isSupportedSpdxId } from '../../spdx'
 import { Version as SpecVersion } from '../../spec'
@@ -388,8 +389,10 @@ export class OrganizationalEntityNormalizer extends BaseXmlNormalizer<Models.Org
       name: elementName,
       children: [
         makeOptionalTextElement(data.name, 'name'),
-        ...makeTextElementIter(data.url, options, 'url')
-          .filter(({ children: u }) => XmlSchema.isAnyURI(u)),
+        ...makeTextElementIter(Array.from(
+          data.url, (s): string => escapeUri(s.toString())
+        ), options, 'url'
+        ).filter(({ children: u }) => XmlSchema.isAnyURI(u)),
         ...this._factory.makeForOrganizationalContact().normalizeIterable(data.contact, options, 'contact')
       ].filter(isNotUndefined)
     }
@@ -554,7 +557,7 @@ export class LicenseNormalizer extends BaseXmlNormalizer<Models.License> {
   }
 
   #normalizeNamedLicense (data: Models.NamedLicense, options: NormalizerOptions): SimpleXml.Element {
-    const url = data.url?.toString()
+    const url = escapeUri(data.url?.toString())
     return {
       type: 'element',
       name: 'license',
@@ -571,7 +574,7 @@ export class LicenseNormalizer extends BaseXmlNormalizer<Models.License> {
   }
 
   #normalizeSpdxLicense (data: Models.SpdxLicense, options: NormalizerOptions): SimpleXml.Element {
-    const url = data.url?.toString()
+    const url = escapeUri(data.url?.toString())
     return {
       type: 'element',
       name: 'license',
@@ -614,7 +617,7 @@ export class LicenseNormalizer extends BaseXmlNormalizer<Models.License> {
 
 export class SWIDNormalizer extends BaseXmlNormalizer<Models.SWID> {
   normalize (data: Models.SWID, options: NormalizerOptions, elementName: string): SimpleXml.Element {
-    const url = data.url?.toString()
+    const url = escapeUri(data.url?.toString())
     return {
       type: 'element',
       name: elementName,
@@ -641,7 +644,7 @@ export class SWIDNormalizer extends BaseXmlNormalizer<Models.SWID> {
 
 export class ExternalReferenceNormalizer extends BaseXmlNormalizer<Models.ExternalReference> {
   normalize (data: Models.ExternalReference, options: NormalizerOptions, elementName: string): SimpleXml.Element | undefined {
-    const url = data.url.toString()
+    const url = escapeUri(data.url.toString())
     const hashes: SimpleXml.Element | undefined = this._factory.spec.supportsExternalReferenceHashes && data.hashes.size > 0
       ? {
           type: 'element',
@@ -874,7 +877,7 @@ export class VulnerabilityNormalizer extends BaseXmlNormalizer<Models.Vulnerabil
 
 export class VulnerabilitySourceNormalizer extends BaseXmlNormalizer<Models.Vulnerability.Source> {
   normalize (data: Models.Vulnerability.Source, options: NormalizerOptions, elementName: string): SimpleXml.Element {
-    const url = data.url?.toString()
+    const url = escapeUri(data.url?.toString())
     return {
       type: 'element',
       name: elementName,
@@ -940,7 +943,7 @@ export class VulnerabilityRatingNormalizer extends BaseXmlNormalizer<Models.Vuln
 
 export class VulnerabilityAdvisoryNormalizer extends BaseXmlNormalizer<Models.Vulnerability.Advisory> {
   normalize (data: Models.Vulnerability.Advisory, options: NormalizerOptions, elementName: string): SimpleXml.Element | undefined {
-    const url = data.url.toString()
+    const url = escapeUri(data.url.toString())
     if (!XmlSchema.isAnyURI(url)) {
       // invalid value -> cannot render
       return undefined

package/src/serialize/xmlSerializer.web.ts

@@ -36,11 +36,11 @@ export class XmlSerializer extends XmlBaseSerializer {
   }
 
   #buildXmlDocument (
-    normalizedBom: SimpleXml.Element
+    rootElement: SimpleXml.Element
   ): XMLDocument {
     const namespace = null
     const doc = document.implementation.createDocument(namespace, null)
-    doc.appendChild(this.#buildElement(normalizedBom, doc, namespace))
+    doc.appendChild(this.#buildElement(rootElement, doc, namespace))
     return doc
   }
 
@@ -58,7 +58,7 @@ export class XmlSerializer extends XmlBaseSerializer {
       this.#setAttributes(node, element.attributes)
     }
     if (isNotUndefined(element.children)) {
-      this.#setChildren(node, element.children, ns)
+      this.#addChildren(node, element.children, ns)
     }
     return node
   }
@@ -72,14 +72,18 @@ export class XmlSerializer extends XmlBaseSerializer {
     }
   }
 
-  #setChildren (node: Element, children: SimpleXml.ElementChildren, parentNS: string | null = null): void {
+  #addChildren (node: Element, children: SimpleXml.ElementChildren, parentNS: string | null = null): void {
+    if (children === undefined) {
+      return
+    }
+
     if (typeof children === 'string' || typeof children === 'number') {
       node.textContent = children.toString()
       return
     }
 
     const doc = node.ownerDocument
-    for (const child of (children as Iterable<SimpleXml.Comment | SimpleXml.Element>)) {
+    for (const child of children) {
       if (child.type === 'element') {
         node.appendChild(this.#buildElement(child, doc, parentNS))
       }

package/src/spdx.ts

@@ -20,7 +20,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 import * as spdxExpressionParse from 'spdx-expression-parse'
 
 /* @ts-expect-error: TS6059 -- this works as long as the file/path is available in dist-package. */
-import { enum as _spdxSpecEnum } from '../res/schema/spdx.SNAPSHOT.schema.json' assert { type: 'json' }
+import { enum as _spdxSpecEnum } from '../res/schema/spdx.SNAPSHOT.schema.json' with { type: 'json' }
 
 /**
  * One of the known SPDX licence identifiers.
@@ -33,18 +33,19 @@ export type SpdxId = string
 
 const spdxIds: ReadonlySet<SpdxId> = new Set(_spdxSpecEnum)
 
-const spdxLowerToActual: ReadonlyMap<string, SpdxId> = new Map(
+const spdxLowerToActual: Readonly<Record<string, SpdxId>> = Object.freeze(Object.fromEntries(
   _spdxSpecEnum.map(spdxId => [spdxId.toLowerCase(), spdxId])
-)
+))
 
 export function isSupportedSpdxId (value: SpdxId | any): value is SpdxId {
+  /* eslint-disable-next-line @typescript-eslint/no-unsafe-argument */
   return spdxIds.has(value)
 }
 
 /** Try to convert a `string`-like to a valid/known {@link SpdxId}. */
 export function fixupSpdxId (value: string | any): SpdxId | undefined {
   return typeof value === 'string' && value.length > 0
-    ? spdxLowerToActual.get(value.toLowerCase())
+    ? spdxLowerToActual[value.toLowerCase()]
     : undefined
 }
 

package/src/spec/_protocol.ts

@@ -109,14 +109,17 @@ export class _Spec implements _SpecProtocol {
   }
 
   supportsFormat (f: Format | any): boolean {
+    /* eslint-disable-next-line @typescript-eslint/no-unsafe-argument */
     return this.#formats.has(f)
   }
 
   supportsComponentType (ct: ComponentType | any): boolean {
+    /* eslint-disable-next-line @typescript-eslint/no-unsafe-argument */
     return this.#componentTypes.has(ct)
   }
 
   supportsHashAlgorithm (ha: HashAlgorithm | any): boolean {
+    /* eslint-disable-next-line @typescript-eslint/no-unsafe-argument */
     return this.#hashAlgorithms.has(ha)
   }
 
@@ -126,6 +129,7 @@ export class _Spec implements _SpecProtocol {
   }
 
   supportsExternalReferenceType (ert: ExternalReferenceType | any): boolean {
+    /* eslint-disable-next-line @typescript-eslint/no-unsafe-argument */
     return this.#externalReferenceTypes.has(ert)
   }
 
@@ -151,6 +155,7 @@ export class _Spec implements _SpecProtocol {
   }
 
   supportsVulnerabilityRatingMethod (rm: Vulnerability.RatingMethod | any): boolean {
+    /* eslint-disable-next-line @typescript-eslint/no-unsafe-argument */
     return this.#vulnerabilityRatingMethods.has(rm)
   }