Added

• Support for nested/bundled (sub-)components via Models.Component.components was added, including serialization/normalization of models and impact on dependency graphs rendering. (#132 via #136)
• CycloneDX spec version 1.4 made element Models.Component.version optional.
  Therefore, serialization/normalization with this spec version will no longer render this element if its value is empty. (via #137, #138)

Fixed

• Types.isCPE() for CPE2.3 allows escaped(\) chars &"><, as expected. (via #134)

Maintenance release.

Dependencies

• Widened the range of requirement packageurl-js to >=0.0.6 <0.0.8, was ^0.0.7. (#130 via #131)

Maintenance release.

Misc

• Use TypeScript v4.7.4 now, was v4.6.4. (via #55)

Dependencies

• Raised the requirement of packageurl-js to ^0.0.7, was ^0.0.6. (via #123)

Initial release.

Responsibilities

• Provide a general purpose JavaScript-implementation of CycloneDX for Node.js and WebBrowsers.
• Provide typing for said implementation, so developers and dev-tools can rely on it.
• Provide data models to work with CycloneDX.
• Provide a JSON- and an XML-normalizer, that...
  • supports all shipped data models.
  • respects any injected CycloneDX Specification and generates valid output according to it.
  • can be configured to generate reproducible/deterministic output.
  • can prepare data structures for JSON- and XML-serialization.
• Serialization:
  • Provide a universal JSON-serializer for all target environments.
  • Provide an XML-serializer for all target environments.
  • Support the downstream implementation of custom XML-serializers tailored to specific environments
    by providing an abstract base class that takes care of normalization and BomRef-discrimination.
    This is done, because there is no universal XML support in JavaScript.

Capabilities & Features

• Enums for the following use cases:
  • AttachmentEncoding
  • ComponentScope
  • ComponentType
  • ExternalReferenceType
  • HashAlgorithm
• Data models for the following use cases:
  • Attachment
  • Bom
  • BomRef, BomRefRepository
  • Component, ComponentRepository
  • ExternalReference, ExternalReferenceRepository
  • HashContent, Hash, HashRepository
  • LicenseExpression, NamedLicense, SpdxLicense, LicenseRepository
  • Metadata
  • OrganizationalContact, OrganizationalContactRepository
  • OrganizationalEntity
  • SWID
  • Tool, ToolRepository
• Factories for the following use cases:
  • Create data models from any license descriptor string
  • Specific to Node.js: create data models from PackageJson-like data structures
• Builders for the following use cases:
  • Specific to Node.js: create deep data models from PackageJson-like data structures
• Implementation of the CycloneDX Specification for the following versions:
  • 1.4
  • 1.3
  • 1.2
• Normalizers that convert data models to JSON structures
• Normalizers that convert data models to XML structures
• Universal serializer that converts Bom data models to JSON string
• Serializer that converts Bom data models to XML string:
  • Specific to WebBrowsers: implementation utilizes browser-specific document generators and printers.
  • Specific to Node.js: implementation plugs/requires/utilizes one of the following optional libraries
    • xmlbuilder2

• fix: XML normalize scope correctly
• fix: Component.description get picked up from optional properties in constructor
• fix: `Component.supplier in constructor

change

• allow dependency graphs without an entry

changed

• Component builder no longer calculates the purl - use the new factory for that.

Added

• factory that makes a PackageUrl from a Component data model.

added

• FromPackageJson builders and factories

breaking

• Some normalizers method normalizeIter() was reworked to normalizeRepository()
• Most Repository models' static method compareItems() was reworked to non-static method sorted()

Motivation: comparing items was never intended to be a feature of a Repository, but a helper to get a sorted list. This behavior was fixed up.

see #66