@cyclonedx/cyclonedx-library 6.4.2 → 6.5.0

package/src/enums/componentType.ts

@@ -30,4 +30,5 @@ export enum ComponentType {
   File = 'file',
   MachineLearningModel = 'machine-learning-model',
   Data = 'data',
+  CryptographicAsset = 'cryptographic-asset',
 }

package/src/enums/externalReferenceType.ts

@@ -28,6 +28,7 @@ export enum ExternalReferenceType {
   Chat = 'chat',
   Documentation = 'documentation',
   Support = 'support',
+  SourceDistribution = 'source-distribution',
   Distribution = 'distribution',
   DistributionIntake = 'distribution-intake',
   License = 'license',
@@ -56,5 +57,11 @@ export enum ExternalReferenceType {
   CodifiedInfrastructure = 'codified-infrastructure',
   QualityMetrics = 'quality-metrics',
   POAM = 'poam',
+  ElectronicSignature = 'electronic-signature',
+  DigitalSignature = 'digital-signature',
+  RFC9116 = 'rfc-9116',
+
+  // --
+
   Other = 'other',
 }

package/src/enums/vulnerability/ratingMethod.ts

@@ -33,6 +33,9 @@ export enum RatingMethod {
   OWASP = 'OWASP',
   /** SSVC - [Stakeholder Specific Vulnerability Categorization](https://github.com/CERTCC/SSVC) (all versions) */
   SSVC = 'SSVC',
+
+  // --
+
   /** any other */
   Other = 'other',
 }

package/src/resources.node.ts

@@ -31,6 +31,7 @@ export const SCHEMA_ROOT = path.resolve(ROOT, 'schema')
 export const FILES = Object.freeze({
   CDX: Object.freeze({
     XML_SCHEMA: Object.freeze({
+      [Version.v1dot6]: path.resolve(SCHEMA_ROOT, 'bom-1.6.SNAPSHOT.xsd'),
       [Version.v1dot5]: path.resolve(SCHEMA_ROOT, 'bom-1.5.SNAPSHOT.xsd'),
       [Version.v1dot4]: path.resolve(SCHEMA_ROOT, 'bom-1.4.SNAPSHOT.xsd'),
       [Version.v1dot3]: path.resolve(SCHEMA_ROOT, 'bom-1.3.SNAPSHOT.xsd'),
@@ -40,6 +41,7 @@ export const FILES = Object.freeze({
 
     }),
     JSON_SCHEMA: Object.freeze({
+      [Version.v1dot6]: path.resolve(SCHEMA_ROOT, 'bom-1.6.SNAPSHOT.schema.json'),
       [Version.v1dot5]: path.resolve(SCHEMA_ROOT, 'bom-1.5.SNAPSHOT.schema.json'),
       [Version.v1dot4]: path.resolve(SCHEMA_ROOT, 'bom-1.4.SNAPSHOT.schema.json'),
       [Version.v1dot3]: path.resolve(SCHEMA_ROOT, 'bom-1.3.SNAPSHOT.schema.json'),
@@ -49,7 +51,7 @@ export const FILES = Object.freeze({
       [Version.v1dot0]: undefined
     }),
     JSON_STRICT_SCHEMA: Object.freeze({
-      // >= v1.4 is already strict - no special file here
+      [Version.v1dot6]: path.resolve(SCHEMA_ROOT, 'bom-1.6.SNAPSHOT.schema.json'),
       [Version.v1dot5]: path.resolve(SCHEMA_ROOT, 'bom-1.5.SNAPSHOT.schema.json'),
       [Version.v1dot4]: path.resolve(SCHEMA_ROOT, 'bom-1.4.SNAPSHOT.schema.json'),
       // <= 1.3 need special files

package/src/serialize/json/normalize.ts

@@ -139,6 +139,7 @@ export class Factory {
 }
 
 const schemaUrl: ReadonlyMap<SpecVersion, string> = new Map([
+  [SpecVersion.v1dot6, 'http://cyclonedx.org/schema/bom-1.6.schema.json'],
   [SpecVersion.v1dot5, 'http://cyclonedx.org/schema/bom-1.5.schema.json'],
   [SpecVersion.v1dot4, 'http://cyclonedx.org/schema/bom-1.4.schema.json'],
   [SpecVersion.v1dot3, 'http://cyclonedx.org/schema/bom-1.3a.schema.json'],

package/src/serialize/xml/normalize.ts

@@ -139,6 +139,7 @@ export class Factory {
 }
 
 const xmlNamespace: ReadonlyMap<SpecVersion, string> = new Map([
+  [SpecVersion.v1dot6, 'http://cyclonedx.org/schema/bom/1.6'],
   [SpecVersion.v1dot5, 'http://cyclonedx.org/schema/bom/1.5'],
   [SpecVersion.v1dot4, 'http://cyclonedx.org/schema/bom/1.4'],
   [SpecVersion.v1dot3, 'http://cyclonedx.org/schema/bom/1.3'],

package/src/spec/consts.ts

@@ -313,7 +313,112 @@ export const Spec1dot5: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   true
 ))
 
+/** Specification v1.6 */
+export const Spec1dot6: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
+  // @TODO
+  Version.v1dot6,
+  [
+    Format.XML,
+    Format.JSON
+  ],
+  [
+    ComponentType.Application,
+    ComponentType.Framework,
+    ComponentType.Library,
+    ComponentType.Container,
+    ComponentType.Platform,
+    ComponentType.OperatingSystem,
+    ComponentType.Device,
+    ComponentType.DeviceDriver,
+    ComponentType.Firmware,
+    ComponentType.File,
+    ComponentType.MachineLearningModel,
+    ComponentType.Data,
+    ComponentType.CryptographicAsset
+  ],
+  [
+    HashAlgorithm.MD5,
+    HashAlgorithm['SHA-1'],
+    HashAlgorithm['SHA-256'],
+    HashAlgorithm['SHA-384'],
+    HashAlgorithm['SHA-512'],
+    HashAlgorithm['SHA3-256'],
+    HashAlgorithm['SHA3-384'],
+    HashAlgorithm['SHA3-512'],
+    HashAlgorithm['BLAKE2b-256'],
+    HashAlgorithm['BLAKE2b-384'],
+    HashAlgorithm['BLAKE2b-512'],
+    HashAlgorithm.BLAKE3
+  ],
+  /^([a-fA-F0-9]{32})$|^([a-fA-F0-9]{40})$|^([a-fA-F0-9]{64})$|^([a-fA-F0-9]{96})$|^([a-fA-F0-9]{128})$/,
+  [
+    ExternalReferenceType.VCS,
+    ExternalReferenceType.IssueTracker,
+    ExternalReferenceType.Website,
+    ExternalReferenceType.Advisories,
+    ExternalReferenceType.BOM,
+    ExternalReferenceType.MailingList,
+    ExternalReferenceType.Social,
+    ExternalReferenceType.Chat,
+    ExternalReferenceType.Documentation,
+    ExternalReferenceType.Support,
+    ExternalReferenceType.SourceDistribution,
+    ExternalReferenceType.Distribution,
+    ExternalReferenceType.DistributionIntake,
+    ExternalReferenceType.License,
+    ExternalReferenceType.BuildMeta,
+    ExternalReferenceType.BuildSystem,
+    ExternalReferenceType.ReleaseNotes,
+    ExternalReferenceType.SecurityContact,
+    ExternalReferenceType.ModelCard,
+    ExternalReferenceType.Log,
+    ExternalReferenceType.Configuration,
+    ExternalReferenceType.Evidence,
+    ExternalReferenceType.Formulation,
+    ExternalReferenceType.Attestation,
+    ExternalReferenceType.ThreatModel,
+    ExternalReferenceType.AdversaryModel,
+    ExternalReferenceType.RiskAssessment,
+    ExternalReferenceType.VulnerabilityAssertion,
+    ExternalReferenceType.ExploitabilityStatement,
+    ExternalReferenceType.PentestReport,
+    ExternalReferenceType.StaticAnalysisReport,
+    ExternalReferenceType.DynamicAnalysisReport,
+    ExternalReferenceType.RuntimeAnalysisReport,
+    ExternalReferenceType.ComponentAnalysisReport,
+    ExternalReferenceType.MaturityReport,
+    ExternalReferenceType.CertificationReport,
+    ExternalReferenceType.CodifiedInfrastructure,
+    ExternalReferenceType.QualityMetrics,
+    ExternalReferenceType.POAM,
+    ExternalReferenceType.ElectronicSignature,
+    ExternalReferenceType.DigitalSignature,
+    ExternalReferenceType.RFC9116,
+    ExternalReferenceType.Other
+  ],
+  true,
+  true,
+  false,
+  true,
+  true,
+  [
+    Vulnerability.RatingMethod.CVSSv2,
+    Vulnerability.RatingMethod.CVSSv3,
+    Vulnerability.RatingMethod.CVSSv31,
+    Vulnerability.RatingMethod.CVSSv4,
+    Vulnerability.RatingMethod.OWASP,
+    Vulnerability.RatingMethod.SSVC,
+    Vulnerability.RatingMethod.Other
+  ],
+  true,
+  true,
+  true,
+  true,
+  true
+))
+
 export const SpecVersionDict: Readonly<Partial<Record<Version, Readonly<_SpecProtocol>>>> = Object.freeze({
+  [Version.v1dot6]: Spec1dot6,
   [Version.v1dot5]: Spec1dot5,
   [Version.v1dot4]: Spec1dot4,
   [Version.v1dot3]: Spec1dot3,

package/src/spec/enums.ts

@@ -18,6 +18,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 export enum Version {
+  v1dot6 = '1.6',
   v1dot5 = '1.5',
   v1dot4 = '1.4',
   v1dot3 = '1.3',

package/tsconfig.json

@@ -48,6 +48,7 @@
     "declaration": false,                              /* Generate .d.ts files from TypeScript and JavaScript files in your project. */
     // "declarationMap": true,                           /* Create sourcemaps for d.ts files. */
     // "emitDeclarationOnly": true,                      /* Only output d.ts files and not JavaScript files. */
+    // ! for downstream developer experience we ship the sources and complete maps, to make debugging easier.
     "sourceMap": true,                                /* Create source map files for emitted JavaScript files. */
     // "outFile": "./",                                  /* Specify a file that bundles all outputs into one JavaScript file. If `declaration` is true, also designates a file that bundles all .d.ts output. */
     // "outDir": "./dist/",                                   /* Specify an output folder for all emitted files. */