@cyclonedx/cyclonedx-library 6.7.2 → 6.8.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cyclonedx-library",
-  "version": "6.7.2",
+  "version": "6.8.0",
   "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).",
   "license": "Apache-2.0",
   "keywords": [
@@ -43,6 +43,12 @@
     "name": "Jan Kowalleck",
     "url": "https://github.com/jkowalleck"
   },
+  "maintainers": [
+    {
+      "name": "Jan Kowalleck",
+      "url": "https://github.com/jkowalleck"
+    }
+  ],
   "contributors": [
     {
       "name": "Jan Kowalleck",
@@ -55,6 +61,18 @@
     {
       "name": "Peter Wagner",
       "url": "https://github.com/thepwagner"
+    },
+    {
+      "name": "Xavier Maso",
+      "url": "https://github.com/xmasoracle"
+    },
+    {
+      "name": "mLuca",
+      "url": "https://github.com/mLuca"
+    },
+    {
+      "name": " Augustus Kling ",
+      "url": "https://github.com/AugustusKling"
     }
   ],
   "type": "commonjs",
@@ -86,14 +104,15 @@
     "eslint-plugin-editorconfig": "4.0.3",
     "eslint-plugin-header": "3.1.1",
     "eslint-plugin-import": "2.29.1",
-    "eslint-plugin-jsdoc": "48.2.2",
+    "eslint-plugin-jsdoc": "48.2.4",
     "eslint-plugin-n": "16.6.2",
     "eslint-plugin-promise": "6.1.1",
-    "eslint-plugin-simple-import-sort": "12.0.0",
+    "eslint-plugin-simple-import-sort": "12.1.0",
     "eslint-plugin-tsdoc": "0.2.17",
     "fast-glob": "^3.3.1",
     "mocha": "10.4.0",
-    "npm-run-all": "^4.1.5",
+    "npm-run-all2": "^5.0.2",
+    "rimraf": "^5.0.7",
     "ts-loader": "9.5.1",
     "typedoc": "^0.25.0",
     "typedoc-plugin-missing-exports": "^2.0.1",
@@ -106,9 +125,52 @@
   "types": "./dist.d/index.node.d.ts",
   "main": "./dist.node/index.node.js",
   "exports": {
-    "types": "./dist.d/index.node.d.ts",
-    "browser": "./dist.web/lib.js",
-    "default": "./dist.node/index.node.js"
+    ".": {
+      "types": "./dist.d/index.node.d.ts",
+      "browser": "./dist.web/lib.js",
+      "default": "./dist.node/index.node.js"
+    },
+    "./package.json": "./package.json",
+    "./Builders": {
+      "types": "./dist.d/builders/index.node.d.ts",
+      "default": "./dist.node/builders/index.node.js"
+    },
+    "./Enums": {
+      "types": "./dist.d/enums/index.d.ts",
+      "default": "./dist.node/enums/index.js"
+    },
+    "./Factories": {
+      "types": "./dist.d/factories/index.node.d.ts",
+      "default": "./dist.node/factories/index.node.js"
+    },
+    "./Models": {
+      "types": "./dist.d/models/index.d.ts",
+      "default": "./dist.node/models/index.js"
+    },
+    "./Serialize": {
+      "types": "./dist.d/serialize/index.node.d.ts",
+      "default": "./dist.node/serialize/index.node.js"
+    },
+    "./SPDX": {
+      "types": "./dist.d/spdx.d.ts",
+      "default": "./dist.node/spdx.js"
+    },
+    "./Spec": {
+      "types": "./dist.d/spec/index.d.ts",
+      "default": "./dist.node/spec/index.js"
+    },
+    "./Types": {
+      "types": "./dist.d/types/index.d.ts",
+      "default": "./dist.node/types/index.js"
+    },
+    "./Utils": {
+      "types": "./dist.d/utils/index.d.ts",
+      "default": "./dist.node/utils/index.js"
+    },
+    "./Validation": {
+      "types": "./dist.d/validation/index.node.d.ts",
+      "default": "./dist.node/validation/index.node.js"
+    }
   },
   "directories": {
     "doc": "./docs",
@@ -122,11 +184,11 @@
     "prepublishOnly": "run-s -lc build test",
     "lint": "tsc --noEmit",
     "build": "run-p --aggregate-output -l build:*",
-    "prebuild:node": "node -r fs -e 'fs.rmSync(\"dist.node\",{recursive:true,force:true})'",
+    "prebuild:node": "rimraf dist.node",
     "build:node": "tsc -b ./tsconfig.node.json",
-    "prebuild:web": "node -r fs -e 'fs.rmSync(\"dist.web\",{recursive:true,force:true})'",
+    "prebuild:web": "rimraf dist.web",
     "build:web": "webpack build",
-    "prebuild:d": "node -r fs -e 'fs.rmSync(\"dist.d\",{recursive:true,force:true})'",
+    "prebuild:d": "rimraf dist.d",
     "build:d": "tsc -b ./tsconfig.d.json",
     "cs-fix": "eslint --fix .",
     "test": "run-p --aggregate-output -lc test:*",

package/src/builders/fromNodePackageJson.node.ts

@@ -28,9 +28,12 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 
 import type { PackageJson } from '../_helpers/packageJson'
 import { splitNameGroup } from '../_helpers/packageJson'
-import * as Enums from '../enums'
+import { ComponentType } from '../enums/componentType'
 import type * as Factories from '../factories/index.node'
-import * as Models from '../models'
+import { Component } from '../models/component'
+import { ExternalReferenceRepository } from '../models/externalReference'
+import { LicenseRepository } from '../models/license'
+import { Tool } from '../models/tool'
 
 /**
  * Node-specific ToolBuilder.
@@ -48,18 +51,18 @@ export class ToolBuilder {
 
   // Current implementation does not return `undefined` yet, but it is an option for future implementation.
   // To prevent future breaking changes, it is declared to return `undefined`.
-  makeTool (data: PackageJson): Models.Tool | undefined {
+  makeTool (data: PackageJson): Tool | undefined {
     const [name, vendor] = typeof data.name === 'string'
       ? splitNameGroup(data.name)
       : []
 
-    return new Models.Tool({
+    return new Tool({
       vendor,
       name,
       version: (typeof data.version === 'string')
         ? data.version
         : undefined,
-      externalReferences: new Models.ExternalReferenceRepository(this.#extRefFactory.makeExternalReferences(data))
+      externalReferences: new ExternalReferenceRepository(this.#extRefFactory.makeExternalReferences(data))
     })
   }
 }
@@ -87,7 +90,7 @@ export class ComponentBuilder {
     return this.#licenseFactory
   }
 
-  makeComponent (data: PackageJson, type: Enums.ComponentType = Enums.ComponentType.Library): Models.Component | undefined {
+  makeComponent (data: PackageJson, type: ComponentType = ComponentType.Library): Component | undefined {
     if (typeof data.name !== 'string') {
       return undefined
     }
@@ -116,7 +119,7 @@ export class ComponentBuilder {
 
     const externalReferences = this.#extRefFactory.makeExternalReferences(data)
 
-    const licenses = new Models.LicenseRepository()
+    const licenses = new LicenseRepository()
     if (typeof data.license === 'string') {
       /* see https://docs.npmjs.com/cli/v9/configuring-npm/package-json#license */
       licenses.add(this.#licenseFactory.makeFromString(data.license))
@@ -134,10 +137,10 @@ export class ComponentBuilder {
       }
     }
 
-    return new Models.Component(type, name, {
+    return new Component(type, name, {
       author,
       description,
-      externalReferences: new Models.ExternalReferenceRepository(externalReferences),
+      externalReferences: new ExternalReferenceRepository(externalReferences),
       group,
       licenses,
       version

package/src/factories/fromNodePackageJson.node.ts

@@ -31,16 +31,17 @@ import type { PackageURL } from 'packageurl-js'
 import { isNotUndefined } from '../_helpers/notUndefined'
 import type { PackageJson } from '../_helpers/packageJson'
 import { PackageUrlQualifierNames } from '../_helpers/packageUrl'
-import * as Enums from '../enums'
-import * as Models from '../models'
+import { ExternalReferenceType } from '../enums/externalReferenceType'
+import type { Component } from '../models/component'
+import { ExternalReference } from '../models/externalReference'
 import { PackageUrlFactory as PlainPackageUrlFactory } from './packageUrl'
 
 /**
  * Node-specific ExternalReferenceFactory.
  */
 export class ExternalReferenceFactory {
-  makeExternalReferences (data: PackageJson): Models.ExternalReference[] {
-    const refs: Array<Models.ExternalReference | undefined> = []
+  makeExternalReferences (data: PackageJson): ExternalReference[] {
+    const refs: Array<ExternalReference | undefined> = []
 
     try { refs.push(this.makeVcs(data)) } catch { /* pass */ }
     try { refs.push(this.makeHomepage(data)) } catch { /* pass */ }
@@ -49,7 +50,7 @@ export class ExternalReferenceFactory {
     return refs.filter(isNotUndefined)
   }
 
-  makeVcs (data: PackageJson): Models.ExternalReference | undefined {
+  makeVcs (data: PackageJson): ExternalReference | undefined {
     /* see https://docs.npmjs.com/cli/v9/configuring-npm/package-json#repositoryc */
     const repository = data.repository
     let url
@@ -67,21 +68,21 @@ export class ExternalReferenceFactory {
       comment = 'as detected from PackageJson property "repository"'
     }
     return typeof url === 'string' && url.length > 0
-      ? new Models.ExternalReference(url, Enums.ExternalReferenceType.VCS, { comment })
+      ? new ExternalReference(url, ExternalReferenceType.VCS, { comment })
       : undefined
   }
 
-  makeHomepage (data: PackageJson): Models.ExternalReference | undefined {
+  makeHomepage (data: PackageJson): ExternalReference | undefined {
     /* see https://docs.npmjs.com/cli/v9/configuring-npm/package-json#homepage */
     const url = data.homepage
     return typeof url === 'string' && url.length > 0
-      ? new Models.ExternalReference(
-        url, Enums.ExternalReferenceType.Website,
+      ? new ExternalReference(
+        url, ExternalReferenceType.Website,
         { comment: 'as detected from PackageJson property "homepage"' })
       : undefined
   }
 
-  makeIssueTracker (data: PackageJson): Models.ExternalReference | undefined {
+  makeIssueTracker (data: PackageJson): ExternalReference | undefined {
     /* see https://docs.npmjs.com/cli/v9/configuring-npm/package-json#bugs */
     const bugs = data.bugs
     let url
@@ -94,7 +95,7 @@ export class ExternalReferenceFactory {
       comment = 'as detected from PackageJson property "bugs"'
     }
     return typeof url === 'string' && url.length > 0
-      ? new Models.ExternalReference(url, Enums.ExternalReferenceType.IssueTracker, { comment })
+      ? new ExternalReference(url, ExternalReferenceType.IssueTracker, { comment })
       : undefined
   }
 }
@@ -105,7 +106,7 @@ const npmDefaultRegistryMatcher = /^https?:\/\/registry\.npmjs\.org/
  * Node-specific PackageUrlFactory.
  */
 export class PackageUrlFactory extends PlainPackageUrlFactory {
-  override makeFromComponent (component: Models.Component, sort: boolean = false): PackageURL | undefined {
+  override makeFromComponent (component: Component, sort: boolean = false): PackageURL | undefined {
     const purl = super.makeFromComponent(component, sort)
     return purl === undefined
       ? undefined

package/src/factories/license.ts

@@ -17,8 +17,8 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import type { DisjunctiveLicense, License } from '../models'
-import { LicenseExpression, NamedLicense, SpdxLicense } from '../models'
+import type { DisjunctiveLicense, License } from '../models/license'
+import { LicenseExpression, NamedLicense, SpdxLicense } from '../models/license'
 import { fixupSpdxId, isValidSpdxLicenseExpression } from '../spdx'
 
 export class LicenseFactory {

package/src/factories/packageUrl.ts

@@ -20,8 +20,8 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 import { PackageURL } from 'packageurl-js'
 
 import { PackageUrlQualifierNames } from '../_helpers/packageUrl'
-import { ExternalReferenceType } from '../enums'
-import type { Component } from '../models'
+import { ExternalReferenceType } from '../enums/externalReferenceType'
+import type { Component } from '../models/component'
 
 export class PackageUrlFactory {
   readonly #type: PackageURL['type']

package/src/index.node.ts

@@ -17,6 +17,10 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
+/* REMEMBER:
+ALL non-internal exports in here have to be set as `exports` in `package.json`
+*/
+
 export * from './index.common'
 
 // region node-specifics

package/src/models/attachment.ts

@@ -18,7 +18,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 import type { Stringable } from '../_helpers/stringable'
-import type { AttachmentEncoding } from '../enums'
+import type { AttachmentEncoding } from '../enums/attachmentEncoding'
 
 export interface OptionalAttachmentProperties {
   contentType?: Attachment['contentType']

package/src/models/bom.ts

@@ -17,11 +17,11 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import type { PositiveInteger } from '../types'
-import { isPositiveInteger } from '../types'
+import type { PositiveInteger } from '../types/integer'
+import { isPositiveInteger } from '../types/integer'
 import { ComponentRepository } from './component'
 import { Metadata } from './metadata'
-import { VulnerabilityRepository } from './vulnerability'
+import { VulnerabilityRepository } from './vulnerability/vulnerability'
 
 export interface OptionalBomProperties {
   metadata?: Bom['metadata']

package/src/models/component.ts

@@ -24,8 +24,8 @@ import { SortableComparables, SortableStringables } from '../_helpers/sortable'
 import type { Stringable } from '../_helpers/stringable'
 import { treeIteratorSymbol } from '../_helpers/tree'
 import type { ComponentScope, ComponentType } from '../enums'
-import type { CPE } from '../types'
-import { isCPE } from '../types'
+import type { CPE } from '../types/cpe'
+import { isCPE } from '../types/cpe'
 import { BomRef, BomRefRepository } from './bomRef'
 import { ExternalReferenceRepository } from './externalReference'
 import { HashDictionary } from './hash'

package/src/models/externalReference.ts

@@ -19,7 +19,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 
 import type { Comparable } from '../_helpers/sortable'
 import { SortableComparables } from '../_helpers/sortable'
-import type { ExternalReferenceType } from '../enums'
+import type { ExternalReferenceType } from '../enums/externalReferenceType'
 import type { BomLink } from './bomLink'
 import { HashDictionary } from './hash'
 

package/src/models/hash.ts

@@ -18,7 +18,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 import type { Sortable } from '../_helpers/sortable'
-import type { HashAlgorithm } from '../enums'
+import type { HashAlgorithm } from '../enums/hashAlogorithm'
 
 // no regex for the HashContent in here. It applies at runtime of a normalization/serialization process.
 export type HashContent = string

package/src/models/license.ts

@@ -18,7 +18,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 import type { Sortable } from '../_helpers/sortable'
-import type { LicenseAcknowledgement } from '../enums'
+import type { LicenseAcknowledgement } from '../enums/licenseAcknowledgement'
 import type { SpdxId } from '../spdx'
 import type { Attachment } from './attachment'
 

package/src/models/lifecycle.ts

@@ -18,7 +18,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 import type { Comparable, Sortable } from '../_helpers/sortable'
-import type { LifecyclePhase } from '../enums'
+import type { LifecyclePhase } from '../enums/lifecyclePhase'
 
 export interface OptionalNamedLifecycleProperties {
   description?: NamedLifecycle['description']

package/src/models/swid.ts

@@ -17,8 +17,8 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import type { NonNegativeInteger } from '../types'
-import { isNonNegativeInteger } from '../types'
+import type { NonNegativeInteger } from '../types/integer'
+import { isNonNegativeInteger } from '../types/integer'
 import type { Attachment } from './attachment'
 
 export interface OptionalSWIDProperties {

package/src/models/vulnerability/analysis.ts

@@ -18,7 +18,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 import type { AnalysisJustification, AnalysisState } from '../../enums/vulnerability'
-import { AnalysisResponseRepository } from '../../enums/vulnerability'
+import { AnalysisResponseRepository } from '../../enums/vulnerability/analysisResponse'
 
 export interface OptionalAnalysisProperties {
   state?: Analysis['state']

package/src/models/vulnerability/vulnerability.ts

@@ -19,7 +19,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 
 import type { Comparable } from '../../_helpers/sortable'
 import { SortableComparables } from '../../_helpers/sortable'
-import { CweRepository } from '../../types'
+import { CweRepository } from '../../types/cwe'
 import { BomRef } from '../bomRef'
 import { PropertyRepository } from '../property'
 import { ToolRepository } from '../tool'

package/src/resources.node.ts

@@ -17,56 +17,56 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import * as path from 'path'
+import { resolve } from 'path'
 
-import { Version } from './spec'
+import { Version } from './spec/enums'
 
 /** @internal */
-export const ROOT = path.resolve(__dirname, '..', 'res')
+export const ROOT = resolve(__dirname, '..', 'res')
 
 /** @internal */
-export const SCHEMA_ROOT = path.resolve(ROOT, 'schema')
+export const SCHEMA_ROOT = resolve(ROOT, 'schema')
 
 /** @internal */
 export const FILES = Object.freeze({
   CDX: Object.freeze({
     XML_SCHEMA: Object.freeze({
-      [Version.v1dot6]: path.resolve(SCHEMA_ROOT, 'bom-1.6.SNAPSHOT.xsd'),
-      [Version.v1dot5]: path.resolve(SCHEMA_ROOT, 'bom-1.5.SNAPSHOT.xsd'),
-      [Version.v1dot4]: path.resolve(SCHEMA_ROOT, 'bom-1.4.SNAPSHOT.xsd'),
-      [Version.v1dot3]: path.resolve(SCHEMA_ROOT, 'bom-1.3.SNAPSHOT.xsd'),
-      [Version.v1dot2]: path.resolve(SCHEMA_ROOT, 'bom-1.2.SNAPSHOT.xsd'),
-      [Version.v1dot1]: path.resolve(SCHEMA_ROOT, 'bom-1.1.SNAPSHOT.xsd'),
-      [Version.v1dot0]: path.resolve(SCHEMA_ROOT, 'bom-1.0.SNAPSHOT.xsd')
+      [Version.v1dot6]: resolve(SCHEMA_ROOT, 'bom-1.6.SNAPSHOT.xsd'),
+      [Version.v1dot5]: resolve(SCHEMA_ROOT, 'bom-1.5.SNAPSHOT.xsd'),
+      [Version.v1dot4]: resolve(SCHEMA_ROOT, 'bom-1.4.SNAPSHOT.xsd'),
+      [Version.v1dot3]: resolve(SCHEMA_ROOT, 'bom-1.3.SNAPSHOT.xsd'),
+      [Version.v1dot2]: resolve(SCHEMA_ROOT, 'bom-1.2.SNAPSHOT.xsd'),
+      [Version.v1dot1]: resolve(SCHEMA_ROOT, 'bom-1.1.SNAPSHOT.xsd'),
+      [Version.v1dot0]: resolve(SCHEMA_ROOT, 'bom-1.0.SNAPSHOT.xsd')
 
     }),
     JSON_SCHEMA: Object.freeze({
-      [Version.v1dot6]: path.resolve(SCHEMA_ROOT, 'bom-1.6.SNAPSHOT.schema.json'),
-      [Version.v1dot5]: path.resolve(SCHEMA_ROOT, 'bom-1.5.SNAPSHOT.schema.json'),
-      [Version.v1dot4]: path.resolve(SCHEMA_ROOT, 'bom-1.4.SNAPSHOT.schema.json'),
-      [Version.v1dot3]: path.resolve(SCHEMA_ROOT, 'bom-1.3.SNAPSHOT.schema.json'),
-      [Version.v1dot2]: path.resolve(SCHEMA_ROOT, 'bom-1.2.SNAPSHOT.schema.json'),
+      [Version.v1dot6]: resolve(SCHEMA_ROOT, 'bom-1.6.SNAPSHOT.schema.json'),
+      [Version.v1dot5]: resolve(SCHEMA_ROOT, 'bom-1.5.SNAPSHOT.schema.json'),
+      [Version.v1dot4]: resolve(SCHEMA_ROOT, 'bom-1.4.SNAPSHOT.schema.json'),
+      [Version.v1dot3]: resolve(SCHEMA_ROOT, 'bom-1.3.SNAPSHOT.schema.json'),
+      [Version.v1dot2]: resolve(SCHEMA_ROOT, 'bom-1.2.SNAPSHOT.schema.json'),
       // <= v1.1 is not defined in JSON
       [Version.v1dot1]: undefined,
       [Version.v1dot0]: undefined
     }),
     JSON_STRICT_SCHEMA: Object.freeze({
-      [Version.v1dot6]: path.resolve(SCHEMA_ROOT, 'bom-1.6.SNAPSHOT.schema.json'),
-      [Version.v1dot5]: path.resolve(SCHEMA_ROOT, 'bom-1.5.SNAPSHOT.schema.json'),
-      [Version.v1dot4]: path.resolve(SCHEMA_ROOT, 'bom-1.4.SNAPSHOT.schema.json'),
+      [Version.v1dot6]: resolve(SCHEMA_ROOT, 'bom-1.6.SNAPSHOT.schema.json'),
+      [Version.v1dot5]: resolve(SCHEMA_ROOT, 'bom-1.5.SNAPSHOT.schema.json'),
+      [Version.v1dot4]: resolve(SCHEMA_ROOT, 'bom-1.4.SNAPSHOT.schema.json'),
       // <= 1.3 need special files
-      [Version.v1dot3]: path.resolve(SCHEMA_ROOT, 'bom-1.3-strict.SNAPSHOT.schema.json'),
-      [Version.v1dot2]: path.resolve(SCHEMA_ROOT, 'bom-1.2-strict.SNAPSHOT.schema.json'),
+      [Version.v1dot3]: resolve(SCHEMA_ROOT, 'bom-1.3-strict.SNAPSHOT.schema.json'),
+      [Version.v1dot2]: resolve(SCHEMA_ROOT, 'bom-1.2-strict.SNAPSHOT.schema.json'),
       // <= v1.1 is not defined in JSON
       [Version.v1dot1]: undefined,
       [Version.v1dot0]: undefined
     })
   }),
   SPDX: Object.freeze({
-    XML_SCHEMA: path.resolve(SCHEMA_ROOT, 'spdx.SNAPSHOT.xsd'),
-    JSON_SCHEMA: path.resolve(SCHEMA_ROOT, 'spdx.SNAPSHOT.schema.json')
+    XML_SCHEMA: resolve(SCHEMA_ROOT, 'spdx.SNAPSHOT.xsd'),
+    JSON_SCHEMA: resolve(SCHEMA_ROOT, 'spdx.SNAPSHOT.schema.json')
   }),
   JSF: Object.freeze({
-    JSON_SCHEMA: path.resolve(SCHEMA_ROOT, 'jsf-0.82.SNAPSHOT.schema.json')
+    JSON_SCHEMA: resolve(SCHEMA_ROOT, 'jsf-0.82.SNAPSHOT.schema.json')
   })
 })

package/src/serialize/json/normalize.ts

@@ -22,10 +22,13 @@ import type { SortableIterable } from '../../_helpers/sortable'
 import type { Stringable } from '../../_helpers/stringable'
 import { treeIteratorSymbol } from '../../_helpers/tree'
 import { escapeUri } from '../../_helpers/uri'
-import * as Models from '../../models'
+import type * as Models from '../../models'
+import { LicenseExpression, NamedLicense, SpdxLicense } from '../../models/license'
+import { NamedLifecycle } from '../../models/lifecycle'
+import { AffectedSingleVersion, AffectedVersionRange } from '../../models/vulnerability/affect'
 import { isSupportedSpdxId } from '../../spdx'
-import { Version as SpecVersion } from '../../spec'
 import type { _SpecProtocol as Spec } from '../../spec/_protocol'
+import { Version as SpecVersion } from '../../spec/enums'
 import type { NormalizerOptions } from '../types'
 import type { Normalized } from './types'
 import { JsonSchema } from './types'
@@ -237,7 +240,7 @@ export class MetadataNormalizer extends BaseJsonNormalizer<Models.Metadata> {
 
 export class LifecycleNormalizer extends BaseJsonNormalizer<Models.Lifecycle> {
   normalize (data: Models.Lifecycle, options: NormalizerOptions): Normalized.Lifecycle {
-    return data instanceof Models.NamedLifecycle
+    return data instanceof NamedLifecycle
       ? { name: data.name, description: data.description }
       : { phase: data }
   }
@@ -427,17 +430,17 @@ export class ComponentEvidenceNormalizer extends BaseJsonNormalizer<Models.Compo
 export class LicenseNormalizer extends BaseJsonNormalizer<Models.License> {
   normalize (data: Models.License, options: NormalizerOptions): Normalized.License {
     switch (true) {
-      case data instanceof Models.NamedLicense:
+      case data instanceof NamedLicense:
         return this.#normalizeNamedLicense(data, options)
-      case data instanceof Models.SpdxLicense:
+      case data instanceof SpdxLicense:
         return isSupportedSpdxId(data.id)
           ? this.#normalizeSpdxLicense(data, options)
-          : this.#normalizeNamedLicense(new Models.NamedLicense(
+          : this.#normalizeNamedLicense(new NamedLicense(
             // prevent information loss -> convert to broader type
             data.id,
             { url: data.url }
           ), options)
-      case data instanceof Models.LicenseExpression:
+      case data instanceof LicenseExpression:
         return this.#normalizeLicenseExpression(data)
       /* c8 ignore start */
       default:
@@ -501,7 +504,7 @@ export class LicenseNormalizer extends BaseJsonNormalizer<Models.License> {
       : Array.from(data)
 
     if (licenses.length > 1) {
-      const expressions = licenses.filter(l => l instanceof Models.LicenseExpression) as Models.LicenseExpression[]
+      const expressions = licenses.filter(l => l instanceof LicenseExpression) as Models.LicenseExpression[]
       if (expressions.length > 0) {
         // could have thrown {@link RangeError} when there is more than one only {@link Models.LicenseExpression | LicenseExpression}.
         // but let's be graceful and just normalize to the most relevant choice: any expression
@@ -805,9 +808,9 @@ export class VulnerabilityAffectNormalizer extends BaseJsonNormalizer<Models.Vul
 export class VulnerabilityAffectedVersionNormalizer extends BaseJsonNormalizer<Models.Vulnerability.AffectedVersion> {
   normalize (data: Models.Vulnerability.AffectedVersion, options: NormalizerOptions): Normalized.Vulnerability.AffectedVersion | undefined {
     switch (true) {
-      case data instanceof Models.Vulnerability.AffectedSingleVersion:
+      case data instanceof AffectedSingleVersion:
         return this.#normalizeAffectedSingleVersion(data)
-      case data instanceof Models.Vulnerability.AffectedVersionRange:
+      case data instanceof AffectedVersionRange:
         return this.#normalizeAffectedVersionRange(data)
       /* c8 ignore start */
       default:

package/src/serialize/jsonSerializer.ts

@@ -17,8 +17,9 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import type { Bom } from '../models'
-import { Format, UnsupportedFormatError } from '../spec'
+import type { Bom } from '../models/bom'
+import { Format } from '../spec/enums'
+import { UnsupportedFormatError } from '../spec/errors'
 import { BaseSerializer } from './baseSerializer'
 import type { Factory as NormalizerFactory } from './json/normalize'
 import type { Normalized } from './json/types'