All notable changes to this project will be documented in this file.
- BREAKING changes
- Added
- Changed
- Dependencies
- Added
- Build
- Use webpack
v5.96.1
now, wasv.95.0
(via #1159)
- Use webpack
- Fixed
- Build
- Changed
- Fixed
- Improved URL sanitizer (via #1121)
- Build
- Use webpack
v5.93.0
now, wasv5.92.1
(via #1122)
- Use webpack
- Fixed
- Build
- Changed
- Existing
Serialize.XmlSerializer.serialize()
for Node.js may throwSerialize.MissingOptionalDependencyError
(via #1084)
This is considered a non-breaking change, as the docs always told that anyError
may be thrown. - Improved the verbose error messages when a functionality failed due to absence of optional/pluggable dependency.
- Existing
- Added
- New class
Serialize.MissingOptionalDependencyError
(via #1084)
- New class
- Misc
Maintenance release.
- Changed
- Updated SPDX license list to
v3.24.0
(via #1077)
- Updated SPDX license list to
- Fixed
- Added
Factories.PackageUrlFactory
's generic type's default back in (via #1076)
- Added
- Fixed
- Added
- Refactor
- Ease internal tree shaking (via #1066)
- Changed
Reverted v6.7.0, back to v6.6.1
Reason: https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7
!! THIS VERSION GOT YANKED !!
Reason: https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7
- Changed
- Changed
- Added
- Dependencies
- Bumped the range of optional requirement
ajv-formats
to^3.0.1
, was^2.1.1
(via #1037)
This should fix JSON-validation for time/date.
- Bumped the range of optional requirement
Added support for CycloneDX Specification-1.6.
- Changed
- Added
- Existing
Enums
got new members and values for CycloneDX Specification-1.6 (#1039 via #1041)Enums.ComponentType.CryptographicAsset
Enums.ExternalReferenceType.SourceDistribution
Enums.ExternalReferenceType.ElectronicSignature
Enums.ExternalReferenceType.DigitalSignature
Enums.ExternalReferenceType.RFC9116
- Namespace
Spec
was enhanced for CycloneDX Specification-1.6 (#1039 via #1041)- New const
Spec.Spec1dot6
- New enum member
Spec.Version.v1dot6
- New const
- Existing
- Build
- Use TypeScript
v5.4.5
now, wasv5.4.3
(via #1040)
- Use TypeScript
- Build
- Documentation
- Rendered (API) docs are hosted on readthedocs (#1027 via #1028)
- Build
- Use TypeScript
v5.4.2
now, wasv5.3.3
(via #1021)
- Use TypeScript
- Added
- Refactor
- Build
Maintenance release
- Dependencies
- Widened optional dependency
libxmljs2@^0.31||^0.32||^0.33
, was@^0.31||^0.32
(via #1001)
- Widened optional dependency
- Fixed
- Possible bug in XML serialization of undefined children (via #1000)
- Build
- Use TypeScript
v5.3.3
now, wasv5.3.2
(via #999)
- Use TypeScript
Maintenance release.
- Misc
Maintenance release.
- Style
- Build
- Added
- Build
- BREAKING
- Build
- Use TypeScript
v5.2.2
now, wasv5.1.6
(via #966)
- Use TypeScript
- BREAKING
- Interface
Spec.Protocol
now defines new mandatory methods (via #946)
This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
- Interface
- Added
- New enum
Enums.Lifecycle
with corresponding values from CycloneDX Specification-1.5 (#937 via #946) - New class
Models.NamedLifecycle
(#937 via #946) - New class
Models.LifecycleRepository
(#937 via #946) - Class
Models.Metadata
got a new propertylifecycles
(#937 via #946) - Serializers and
Metadata
-Normalizers will takeModels.Metadata.lifecycles
into account (#937 via #946)
- New enum
- Build
- Use webpack
v5.88.2
now, wasv5.88.1
(via #933)
- Use webpack
- BREAKING
- Usage of this library in web browsers might no longer work out of the box (via #880)
It might require a bundler/packer for web; see theexamples/web/
.
This is only a breaking change if you used this library in a web browser.
- Usage of this library in web browsers might no longer work out of the box (via #880)
- Fixed
- Examples
- Build
Added support for CycloneDX Specification-1.5.
Added functionality regarding CycloneDX BOM-Link.
- BREAKING
- Interface
Spec.Protocol
now defines new mandatory methods (via #843)
This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
- Interface
- Changed
- Added
- BREAKING
- Interface
Spec.Protocol
now defines a new mandatory methodsupportsVulnerabilityRatingMethod()
(via #843)
This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
- Interface
- Changed
- Namespace
Models
- Namespace
Serialize.{JSON,XML}.Normalize
- Namespace
Validation
- Namespace
- Added
- Namespace
Enums
- Enum
ComponentType
got new members (#505 via #843)
New:Data
,DeviceDriver
,MachineLearningModel
,Platform
- Enum
ExternalReferenceType
got new members (#505 via #843)
New:AdversaryModel
,Attestation
,CertificationReport
,CodifiedInfrastructure
,ComponentAnalysisReport
,Configuration
,DistributionIntake
,DynamicAnalysisReport
,Evidence
,ExploitabilityStatement
,Formulation
,Log
,MaturityReport
,ModelCard
,POAM
,PentestReport
,QualityMetrics
,RiskAssessment
,RuntimeAnalysisReport
,SecurityContact
,StaticAnalysisReport
,ThreatModel
,VulnerabilityAssertion
- Enum
Vulnerability.RatingMethod
got new members (#505 via #843)
New:CVSSv4
,SSVC
- Enum
- Namespace
Models
- Namespace
Spec
- Enum
Version
got new memberv1dot5
to reflect CycloneDX Specification-1.5 (#505 via #843) - Constant
SpecVersionDict
got new entry to reflect CycloneDX Specification-1.5 (#505 via #843) - New constant
Spec1dot5
to reflect CycloneDX Specification-1.5 (#505 via #843) - Constants
Spec1dot{2,3,4}
got a new methodsupportsVulnerabilityRatingMethod()
(via #843) - Interface
Protocol
has a new methodsupportsVulnerabilityRatingMethod()
(via #843)
- Enum
- Namespace
- Misc
- Build
- Changed
- Classes
Serialize.Xml.Normalize.Vulnerability*Normalizer
are now public available (via #816)
Previously, only instances were available viaSerialize.Xml.Normalize.Factory.makeForVulnerability*()
.
- Classes
- Build
Improved license detection.
Finished Vulnerability
capabilities.
Added ComponentEvidence
capabilities.
- BREAKING
- Method
Factories.LicenseFactory.makeFromString()
was changed in its behavior (#271, #530 via #547)
It will try to createModels.SpdxLicense
if value is eligible, else try to createModels.LicenseExpression
if value is eligible, else fall back toModels.NamedLicense
. - Revisited sort and compare:
- Methods
Models.*.compare()
may return different numbers than before. - Methods
Models.*.sorted()
may return different orders than before.
- Methods
- Removed deprecated symbols (#747 via #752)
- Method
- Changed
- Added
- Misc
- Internal rework, modernization, refactoring
- BREAKING
- Class
Factories.LicenseFactory
was modified - Class
Models.LicenseExpression
was modified- Removed static function
isEligibleExpression()
(via #547)
UseSpdx.isValidSpdxLicenseExpression()
instead. - Constructor no longer throws, when value is not eligible (#530 via #547)
You may useFactories.LicenseFactory.makeExpression()
to mimic the previous behavior. - Property
expression
setter no longer throws, when value is not eligible (#530 via #547)
You may useFactories.LicenseFactory.makeExpression()
to mimic the previous behavior.
- Removed static function
- Class
Models.SpdxLicense
was modified- Constructor no longer throws, when value is not eligible (#530 via #547)
You may useFactories.LicenseFactory.makeSpdxLicense()
to mimic the previous behavior. - Property
id
setter no longer throws, when value is not eligible (#530 via #547)
You may useFactories.LicenseFactory.makeSpdxLicense()
to mimic the previous behavior.
- Constructor no longer throws, when value is not eligible (#530 via #547)
- Interface
Spec.Protocol
now defines a new mandatory propertysupportsComponentEvidence:boolean
(via #753) - Interface
Spec.Protocol
now defines a new mandatory propertysupportsVulnerabilities:boolean
(via #722) - Removed deprecated symbols (#747 via #752)
- Namespaces
{Builders,Factories}.FromPackageJson
were removed.
You may use{Builders,Factories}.FromNodePackageJson
instead. - Class
Models.HashRepository
was removed.
You may useModels.HashDictionary
instead. - Methods
Serialize.{Json,Xml}.Normalize.*.normalizeRepository()
were removed.
You may useSerialize.{Json,Xml}.Normalize.*.normalizeIterable()
instead - Type alias
Types.UrnUuid
was removed.
You may usestring
instead. - Type predicate
Types.isUrnUuid()
was removed.
- Namespaces
- Class
- Changed
- Class
Models.Attachment
was modified - Class
Models.Component
was modified - Class
Models.Vulnerability.Credits
was modified- Property
organizations
is no longer optional (via #722)
This collection(Set
) will always exist, but might be empty.
This is considered a non-breaking change, as the class was in beta state. - Property
individuals
is no longer optional (via #722)
This collection(Set
) will always exist, but might be empty.
This is considered a non-breaking change, as the class was in beta state.
- Property
- Class
- Added
- Namespace
Models
was enhanced- Class
Component
was enhanced - New Class
ComponentEvidence
(#516 via #753) - Namespace
Vulnerability
was enhanced- Class
Advisory
was enhanced- New method
compare()
(via #722)
- New method
- Class
AdvisoryRepository
was enhanced - Class
Affect
was enhanced- New method
compare()
(via #722)
- New method
- Class
AffectRepository
was enhanced - Class
AffectedSingleVersion
was enhanced- New method
compare()
(via #722)
- New method
- Class
AffectedVersionRange
was enhanced- New method
compare()
(via #722)
- New method
- Class
AffectedVersionRepository
was enhanced - Class
Rating
was enhanced- New method
compare()
(via #722)
- New method
- Class
RatingRepository
was enhanced - class
Reference
was enhanced- New method
compare()
(via #722)
- New method
- Class
ReferenceRepository
was enhanced - class
Source
was enhanced- New method
compare()
(via #722)
- New method
- class
Vulnerability
was enhanced- New method
compare()
(via #722)
- New method
- Class
VulnerabilityRepository
was enhanced
- Class
- Class
- Namespaces
Serialize.{Json,Xml}.Normalize
were enhanced- Class
Factory
was enhanced- New Method
makeForComponentEvidence()
(#516 via #753) - New method
makeForVulnerability()
(#164 via #722) - New method
makeForVulnerabilitySource()
(#164 via #722) - New method
makeForVulnerabilityReference()
(#164 via #722) - New method
makeForVulnerabilityRating
(#164 via #722) - New method
makeForVulnerabilityAdvisory
(#164 via #722) - New method
makeForVulnerabilityCredits
(#164 via #722) - New method
makeForVulnerabilityAffect
(#164 via #722) - New method
makeForVulnerabilityAffectedVersion
(#164 via #722) - New method
makeForVulnerabilityAnalysis
(#164 via #722)
- New Method
- New class
ComponentEvidenceNormalizer
(#516 via #753) - Class
OrganizationalEntityNormalizer
was enhanced- New method
normalizeIterable()
(via #722)
- New method
- New class
VulnerabilityNormalizer
(#164 via #722) - New class
VulnerabilityAdvisoryNormalizer
(#164 via #722) - New class
VulnerabilityAffectNormalizer
(#164 via #722) - New class
VulnerabilityAffectedVersionNormalizer
(#164 via #722) - New class
VulnerabilityAnalysisNormalizer
(#164 via #722) - New class
VulnerabilityCreditsNormalizer
(#164 via #722) - New class
VulnerabilityRatingNormalizer
(#164 via #722) - New class
VulnerabilityReferenceNormalizer
(#164 via #722) - New class
VulnerabilitySourceNormalizer
(#164 via #722)
- Class
- Namespace
Spec
- Namespace
Spdx
was enhanced
- Namespace
- Misc
- Added dependency
spdx-expression-parse@^3.0.1
(via #547)
- Added dependency
- Added
- Formal validators for JSON string and XML string (#620 via #652, #691)
Currently available only for Node.js. Requires optional dependencies.- Related new validator classes:
Validation.JsonValidator
Validation.JsonStrictValidator
Validation.XmlValidator
- Related new error classes:
Validation.NotImplementedError
Validation.MissingOptionalDependencyError
- Related new validator classes:
- Formal validators for JSON string and XML string (#620 via #652, #691)
- Build
- Fixed
- Docs
- Fixed link to CycloneDX-specification in README (via #617)
- Fixed
- Fixed
- Changed
- Property
Models.Bom.serialNumber
is of typestring
, was type-aliasedTypes.UrnUuid = string
(#588 via #597)
Also, the setter no longer throws exceptions, since no string format is illegal.
This is considered a non-breaking behavior change, because the corresponding normalizers assure valid data results.
- Property
- Added
- Published generator for BOM's SerialNumber:
Utils.BomUtility.randomSerialNumber()
(#588 via #597)
The code was donated from cyclonedx-node-npm.
- Published generator for BOM's SerialNumber:
- Deprecation
- Fixed
- Digesting this library in TypeScript build with ECMA Script module results works as expected, now (via #596)
- Docs
- Development-docs are no longer packed with releases (via #572)
- Misc
- Added more integration tests in CI (via #596)
Maintenance release.
- Docs
- Made it clear, that
{Builders,Factories}.{FromNodePackageJson,FromPackageJson}.*
functionality is to be run on already normalized structures (#517 via #518)
Normalization should be done downstream, for example vianormalize-package-data
.
- Made it clear, that
- Added
- New vulnerability-related enums were added in a new namespace
Enums.Vulnerability
(#164 via #419)
Release stage is “beta”. These namespace and enums have been released to third-party developers experimentally for the purpose of collecting feedback. These enums should not be used in production, because their contracts may change without notice.AffectStatus
AnalysisJustification
AnalysisResponse
AnalysisState
RatingMethod
Severity
- New vulnerability-related models were added in a new namespace
Models.Vulnerability
(#164 via #419)
Release stage is “beta”. These namespace and models have been released to third-party developers experimentally for the purpose of collecting feedback. These models should not be used in production, because their contracts may change without notice.
Attention: The models are not yet supported by shipped serializers nor shipped normalizers.Advisory
,AdvisoryRepository
Affect
,AffectRepository
,AffectedSingleVersion
,AffectedVersionRange
,AffectedVersionRepository
Analysis
Credits
Rating
,RatingRepository
Reference
,ReferenceRepository
Source
Vulnerability
,VulnerabilityRepository
- New class
Models.OrganizationalEntityRepository
to represent a collection ofModels.OrganizationalEntity
(via #419)
Additionally,Models.OrganizationalEntity.compare()
was implemented. - New types and related functionality Common Weaknesses Enumerations (CWE) were added (via #419)
Release stage is “beta”. These types, functions and classes have been released to third-party developers experimentally for the purpose of collecting feedback. These types, functions and classes should not be used in production, because their contracts may change without notice.- type
Types.CWE
- runtime validation
Types.isCWE()
- class
Types.CweRepository
- type
- New vulnerability-related enums were added in a new namespace
- Docs
- Build
- Use TypeScript
v4.9.5
now, wasv4.9.4
(via #463)
- Use TypeScript
- Misc
- Added tests for internal helpers (via #454)
- Use
[email protected]
now, was33.0.0
(via #460)
- Added
- Fixed
- XML serializer now properly throws
UnsupportedFormatError
if it is unsupported by the supplied Spec (via #438)
- XML serializer now properly throws
- Misc
- Added tests for internal helpers (via #431)
- Added more internal sortable data types (via #165)
- Fixed type hints in internals (via #432)
- Fixed type refs and links in doc-strings (via #437)
- Slightly improved performance of compare methods when reproducible results were needed (via #433)
- Use
[email protected]
now, was23.0.0
(via #382, #423, #445)
Maintenance release.
- Docs
- Fix CI/CT shield (badges/shields#8671 via #371)
Maintenance release.
- Build
- Use TypeScript
v4.9.4
now, wasv4.9.3
(via #360)
- Use TypeScript
- Changed
- Widened the accepted types for first parameter of all
normalizeIterable
methods (via #317)
- Widened the accepted types for first parameter of all
- Build
- Use TypeScript
v4.9.3
now, wasv4.8.4
(via #335)
- Use TypeScript
- Added
- Changed
- Changed
- Removed synthetic default imports im TypeScript sources (via #243)
The resulting JavaScript did not change in functionality.
Downstream users of the TypeScript sources/definitions might consider this a feature, as they are no longer required to compile withallowSyntheticDefaultImports
enabled.
- Removed synthetic default imports im TypeScript sources (via #243)
- Added
- Documentation and example regarding dependency tree modelling were added in multiple places (via #250)
- Build
- Deprecated
- The normalizer methods
normalizeRepository
will be known asnormalizeIterable
(via #230)
- The normalizer methods
- Deprecated
- The class
HashRepository
will be known asHashDictionary
(via #229)
- The class
Maintenance release.
- Build
- Use TypeScript
v4.8.3
now, wasv4.8.2
(via #212)
- Use TypeScript
Maintenance release.
- Misc
- Style: imports are sorted, now (via #208)
- Dependencies
- Widened the range of requirement
packageurl-js
to>=0.0.6 <0.0.8 || ^1
, was>=0.0.6 <0.0.8
(via #210)
- Widened the range of requirement
- Added
- Build
- Use TypeScript
v4.8.2
now, wasv4.7.4
(via #190)
- Use TypeScript
- Fixed
Factories.PackageUrlFactory
omits empty-string URLs for PackageUrl's qualifiersdownload_url
&vcs_url
(via #180)
- Fixed
- Misc
- Style: improved readability of constructor parameter types (via #166)
- Fixed
- JSON- and XML-Normalizer no longer render
Models.Component.properties
with CycloneDX Specification-1.2 (#152 via #153) - XML-Normalizer now has the correct order/position of rendered
Models.Component.properties
(via #153)
- JSON- and XML-Normalizer no longer render
- Changed
- Use version 9b04a94 of CycloneDX specification for XML and JSON schema validation (via #150)
- Use SPDX license enumeration from version 9b04a94 of CycloneDX specification. (via #150)
- Added
- Build
- Use webpack
v5.74.0.
now, wasv5.73.0
(via #141)
- Use webpack
- Added
- New getters/properties that represent the corresponding parameters of class constructor (via #145)
Builders.FromPackageJson.ComponentBuilder.extRefFactory
,
Builders.FromPackageJson.ComponentBuilder.licenseFactory
Builders.FromPackageJson.ToolBuilder.extRefFactory
Factories.PackageUrlFactory.type
Serialize.BomRefDiscriminator.prefix
Serialize.JsonSerializer.normalizerFactory
Serialize.XmlBaseSerializer.normalizerFactory
,
Serialize.XmlSerializer.normalizerFactory
- Factory for
PackageURL
fromModels.Component
can handle additional data sources, now (via #146)Models.Component.hashes
map ->PackageURL.qualifiers.checksum
listModels.Component.externalReferences[distribution].url
->PackageURL.qualifiers.download_url
- Method
Factories.PackageUrlFactory.makeFromComponent()
got a new optional parametersort
, to indicate whether to go the extra mile and bring hashes and qualifiers in alphabetical order.
This feature switch is related to reproducible builds.
- New getters/properties that represent the corresponding parameters of class constructor (via #145)
- Deprecated
- The sub-namespace
FromPackageJson
will be known asFromNodePackageJson
(via #148)Factories.FromPackageJson
->Factories.FromNodePackageJson
Builders.FromPackageJson
->Builders.FromNodePackageJson
- The sub-namespace
- Added
- Support for nested/bundled (sub-)components via
Models.Component.components
was added, including serialization/normalization of models and impact on dependency graphs rendering (#132 via #136) - CycloneDX Specification-1.4 made element
Models.Component.version
optional. Therefore, serialization/normalization with this specification version will no longer render this element if its value is empty (via #137, #138)
- Support for nested/bundled (sub-)components via
- Fixed
Types.isCPE()
for CPE2.3 allows escaped(\
) chars&"><
, as expected (via #134)
Maintenance release.
- Dependencies
Maintenance release.
- Build
- Use TypeScript
v4.7.4
now, wasv4.6.4
(via #55)
- Use TypeScript
- Dependencies
- Raised the requirement of
packageurl-js
to^0.0.7
, was^0.0.6
(via #123)
- Raised the requirement of
Initial release.
- Responsibilities
- Provide a general purpose JavaScript-implementation of CycloneDX for Node.js and WebBrowsers.
- Provide typing for said implementation, so developers and dev-tools can rely on it.
- Provide data models to work with CycloneDX.
- Provide a JSON- and an XML-normalizer, that...
- supports all shipped data models.
- respects any injected CycloneDX Specification and generates valid output according to it.
- can be configured to generate reproducible/deterministic output.
- can prepare data structures for JSON- and XML-serialization.
- Serialization:
- Provide a universal JSON-serializer for all target environments.
- Provide an XML-serializer for all target environments.
- Support the downstream implementation of custom XML-serializers tailored to specific environments
by providing an abstract base class that takes care of normalization and BomRef-discrimination.
This is done, because there is no universal XML support in JavaScript.
- Capabilities & Features
- Enums for the following use cases:
AttachmentEncoding
ComponentScope
ComponentType
ExternalReferenceType
HashAlgorithm
- Data models for the following use cases:
Attachment
Bom
BomRef
,BomRefRepository
Component
,ComponentRepository
ExternalReference
,ExternalReferenceRepository
HashContent
,Hash
,HashRepository
LicenseExpression
,NamedLicense
,SpdxLicense
,LicenseRepository
Metadata
OrganizationalContact
,OrganizationalContactRepository
OrganizationalEntity
SWID
Tool
,ToolRepository
- Factories for the following use cases:
- Create data models from any license descriptor string
- Specific to Node.js: create data models from PackageJson-like data structures
- Builders for the following use cases:
- Specific to Node.js: create deep data models from PackageJson-like data structures
- Implementation of the CycloneDX Specification for the following versions:
1.4
1.3
1.2
- Normalizers that convert data models to JSON structures
- Normalizers that convert data models to XML structures
- Universal serializer that converts
Bom
data models to JSON string - Serializer that converts
Bom
data models to XML string:- Specific to WebBrowsers: implementation utilizes browser-specific document generators and printers.
- Specific to Node.js: implementation plugs/requires/utilizes one of the following optional libraries
- Enums for the following use cases: