Package detail

@cyclonedx/cyclonedx-library

CycloneDX330.8kApache-2.07.1.0

Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).

CycloneDX, models, normalizer, serializer, bill-of-materials, BOM, software-bill-of-materials, SBOM, OBOM, MBOM, SaaSBOM, VEX, VDR, package-url, PURL, SPDX, OWASP, inventory, component, dependency

readme

CycloneDX JavaScript Library

Core functionality of CycloneDX for JavaScript (Node.js or WebBrowsers), written in TypeScript and compiled for the target.

Responsibilities

Provide a general purpose JavaScript-implementation of CycloneDX for Node.js and WebBrowsers.
Provide typing for said implementation, so developers and dev-tools can rely on it.
Provide data models to work with CycloneDX.
Provide JSON- and XML-normalizers, that...
- supports all shipped data models.
- respects any injected CycloneDX Specification and generates valid output according to it.
- can be configured to generate reproducible/deterministic output.
- can prepare data structures for JSON- and XML-serialization.
Serialization:
- Provide a universal JSON-serializer for all target environments.
- Provide an XML-serializer for all target environments.
- Support the downstream implementation of custom XML-serializers tailored to specific environments
  by providing an abstract base class that takes care of normalization and BomRef-discrimination.
  This is done, because there is no universal XML support in JavaScript.
Provide formal JSON- and XML-validators according to CycloneDX Specification. (currently for Node.js only)

Capabilities

Enums for the following use cases:
- AttachmentEncoding
- ComponentScope
- ComponentType
- ExternalReferenceType
- HashAlgorithm
- Vulnerability related:
  - AffectStatus
  - AnalysisJustification
  - AnalysisResponse
  - AnalysisState
  - RatingMethod
  - Severity
Data models for the following use cases:
- Attachment
- Bom
- BomLink, BomLinkDocument, BomLinkElement
- BomRef, BomRefRepository
- Component, ComponentRepository, ComponentEvidence
- ExternalReference, ExternalReferenceRepository
- Hash, HashContent, HashDictionary
- LicenseExpression, NamedLicense, SpdxLicense, LicenseRepository
- Metadata
- OrganizationalContact, OrganizationalContactRepository
- OrganizationalEntity, OrganizationalEntityRepository
- Property, PropertyRepository
- SWID
- Tool, ToolRepository, Tools
- Vulnerability related:
  - Advisory, AdvisoryRepository
  - Affect, AffectRepository, AffectedSingleVersion, AffectedVersionRange, AffectedVersionRepository
  - Analysis
  - Credits
  - Rating, RatingRepository
  - Reference, ReferenceRepository
  - Source
  - Vulnerability, VulnerabilityRepository
Utilities for the following use cases:
- Generate valid random SerialNumbers for Bom.serialNumber
Factories for the following use cases:
- Create data models from any license descriptor string
- Create PackageURL from Component data models
- Specific to Node.js: create data models from PackageJson-like data structures and derived data
Builders for the following use cases:
- Specific to Node.js: create deep data models Tool or Component from PackageJson-like data structures
Implementation of the CycloneDX Specification for the following versions:
- 1.6
- 1.5
- 1.4
- 1.3
- 1.2
Normalizers that convert data models to JSON structures
Normalizers that convert data models to XML structures
Universal serializer that converts Bom data models to JSON string
Specific Serializer that converts Bom data models to XML string:
- Specific to WebBrowsers: implementation utilizes browser-specific document generators and printers.
- Specific to Node.js: implementation utilizes optional dependencies as described below
Formal validators for JSON string and XML string (currently for Node.js only)
Requires optional dependencies as described below

Installation

This package and the build results are available for npm, pnpm and yarn:

npm i -S @cyclonedx/cyclonedx-library
pnpm add @cyclonedx/cyclonedx-library
yarn add @cyclonedx/cyclonedx-library

You can install the package from source, which will build automatically on installation:

npm i -S github:CycloneDX/cyclonedx-javascript-library
pnpm add github:CycloneDX/cyclonedx-javascript-library
yarn add @cyclonedx/cyclonedx-library@github:CycloneDX/cyclonedx-javascript-library # only with yarn-2

Optional Dependencies

Some dependencies are optional. See the shipped package.json for version constraints.

Serialization to XML on Node.js requires any of:
- xmlbuilder2
Validation of JSON on Node.js requires all of:
Validation of XML on Node.js requires all of:
- libxmljs2
- the system might need to meet the requirements for node-gyp, in certain cases.

Usage

See extended examples.

As Node.js package

const CDX = require('@cyclonedx/cyclonedx-library')

const bom = new CDX.Models.Bom()
bom.metadata.component = new CDX.Models.Component(
  CDX.Enums.ComponentType.Application,
  'MyProject'
)
const componentA = new CDX.Models.Component(
  CDX.Enums.ComponentType.Library,
  'myComponentA',
)
bom.components.add(componentA)
bom.metadata.component.dependencies.add(componentA.bomRef)

In WebBrowsers

<script src="path-to-this-package/dist.web/lib.js"></script>
<script type="application/javascript">
    const CDX = CycloneDX_library

    let bom = new CDX.Models.Bom()
    bom.metadata.component = new CDX.Models.Component(
        CDX.Enums.ComponentType.Application,
        'MyProject'
    )
    const componentA = new CDX.Models.Component(
        CDX.Enums.ComponentType.Library,
        'myComponentA',
    )
    bom.components.add(componentA)
    bom.metadata.component.dependencies.add(componentA.bomRef)
</script>

API documentation

We ship annotated type definitions, so that your IDE and tools may pick up the documentation when you use this library downstream.

There are also pre-rendered documentations hosted on readthedocs.

Development & Contributing

Feel free to open issues, bug reports or pull requests.
See the CONTRIBUTING file for details.

License

Permission to modify and redistribute is granted under the terms of the Apache 2.0 license.
See the LICENSE file for the full license.

changelog

Changelog

All notable changes to this project will be documented in this file.

unreleased

7.1.0 -- 2025-01-09

Added
- New type Models.Copyright and class Models.CopyrightRepository (via #1202)
- New type Models.AttachmentContent (via #1202)
Changed
- Replace usage of internals Stringable & SortableStringables with public API (#1192 via #1202)
  This is considered a non-breaking change, as the types are not changed, but made publicly available.
Style
- Apply latest code style guide (via #1201)
Misc
- Support npm11 (#1191 via #1203)

7.0.0 -- 2024-11-26

BREAKING changes
- Property Models.Bom.tools is an instance of Models.Tools now (#1152 via #1163)
  Before, it was an instance of Models.ToolRepository.
- Property Models.Vulnerability.tools is an instance of Models.Tools now (via #1163)
  Before, it was an instance of Models.ToolRepository.
Added
- Static function Models.Tool.fromComponent() (via #1163)
- Static function Models.Tool.fromService() (via #1163)
- New class Models.Tools (#1152 via #1163)
- New serialization/normalization for Models.Tools (#1152 via #1163, #1180)
Changed
- Serializers and Bom-Normalizers will take changed Models.Bom.tools into account (#1152 via #1163)
- Serializers and Vulnerability-Normalizers will take changed Models.Vulnerability.tools into account (via #1163)
Style
- Apply latest code style guide (via #1170, #1181)
Dependencies
- Support libxmljs2@^0.35 (via #1173)
- Use packageurl-js@^2.0.1, was @>=0.0.6 <0.0.8 || ^1 (via #1142)
Build
- Use TypeScript v5.7.2 now, was v5.6.3 (via #1182)

6.13.1 -- 2024-12-22

Dependencies
- Support libxmljs2@^0.35 (via #1196)

6.13.0 -- 2024-11-18

Added
- Support CycloneDX 1.6.1 (#1176 via #1177)

6.12.0 -- 2024-11-12

Added
- Support for services (#1164 via #1165)
- New class Models.Service (#1164 via #1165)
- New class Models.ServiceRepository (#1164 via #1165)
- Class Models.Bom got new property services (#1164 via #1165)
- Serializers and Bom-Normalizers will take Models.Bom.services into account (#1164 via #1165)
Build
- Use webpack v5.96.1 now, was v.95.0 (via #1159)

6.11.1 -- 2024-10-24

Fixed
- Encode quotation marks in URLs (#1154 via #1155)
Build
- Use TypeScript v5.6.3 now, was v5.5.3 (via #1130, #1144, #1150)
- Use webpack v5.95.0 now, was v5.93.0 (via #1138, #1147)

6.11.0 -- 2024-07-15

Changed
- Factories.FromNodePackageJson.ExternalReferenceFactory.makeVcs() tries to canonicalize git-URLs (#1119 via #1120)
Fixed
- Improved URL sanitizer (via #1121)
Build
- Use webpack v5.93.0 now, was v5.92.1 (via #1122)

6.10.1 -- 2024-07-03

Fixed
- XML: properly handle normalizedString & token (#1098 via #1116)
Build
- Use TypeScript v5.5.3 now, was v5.4.5 (via #1108)
- Use webpack v5.92.1 now, was v5.91.0 (via #1091, #1094)

6.10.0 -- 2024-06-06

Changed
- Existing Serialize.XmlSerializer.serialize() for Node.js may throw Serialize.MissingOptionalDependencyError (via #1084)
  This is considered a non-breaking change, as the docs always told that any Error may be thrown.
- Improved the verbose error messages when a functionality failed due to absence of optional/pluggable dependency.
Added
- New class Serialize.MissingOptionalDependencyError (via #1084)
Misc
- Refactored functionality around optional/pluggable dependencies (via #1083, #1084)
  This was done in preparation for #1079.

6.9.5 -- 2024-05-23

Maintenance release.

Chore
- The package will be published to GitHub package registry, too. (#1026 via #1078)

6.9.0 -- 2024-05-23

Changed
- Updated SPDX license list to v3.24.0 (via #1077)

6.8.2 -- 2024-05-21

Fixed
- Added Factories.PackageUrlFactory's generic type's default back in (via #1076)

6.8.1 -- 2024-05-21

Fixed
- Hardened Factories.FromNodePackageJson.PackageUrlFactory's default package repository detection (#1073 via #1074)

6.8.0 -- 2024-05-14

Added
- Explicitly export own first-level submodules via package manifest (#87 via #1066)
  When used with bundlers/packers downstream, this might enable better tree shaking due to scoped imports.
Refactor
- Ease internal tree shaking (via #1066)

6.7.2 -- 2024-05-07

Changed
- The provided XML validation capabilities were explicitly hardened (via #1064; concerns #1061)
  This is considered a security measure concerning XML external entity (XXE) injection.

6.7.1 -- 2024-05-07

Reverted v6.7.0, back to v6.6.1
Reason: https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7

6.7.0 -- 2024-05-07

!! THIS VERSION GOT YANKED !!
Reason: https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7

Changed
- The provided XML validation capabilities no longer supports external entities (via #1063; concerns #1061)
  This is considered a security measure to prevent XML external entity (XXE) injection.

6.6.1 -- 2024-05-06

Fixed
- JSON validator allow arbitrary $schema (#1059 via #1060)

6.6.0 -- 2024-04-26

Changed
- Serializers and License-Normalizers will take license acknowledgement into account (#1051 via #1052)
Added
- Namespace Enums
  - New enum LicenseAcknowledgement (#1051 via #1052)
- Namespace Models
  - Class LicenseExpression got new property acknowledgement (#1051 via #1052)
  - Class NamedLicense got new property acknowledgement (#1051 via #1052)
  - Class SpdxLicense got new property acknowledgement (#1051 via #1052)

6.5.1 -- 2024-04-16

Dependencies
- Bumped the range of optional requirement ajv-formats to ^3.0.1, was ^2.1.1 (via #1037)
  This should fix JSON-validation for time/date.

6.5.0 -- 2024-04-11

Added support for CycloneDX Specification-1.6.

Changed
- Normalizers support CycloneDX Specification-1.6 (#1039 via #1041)
- Validators support CycloneDX Specification-1.6 (#1039 via #1041)
Added
- Existing Enums got new members and values for CycloneDX Specification-1.6 (#1039 via #1041)
  - Enums.ComponentType.CryptographicAsset
  - Enums.ExternalReferenceType.SourceDistribution
  - Enums.ExternalReferenceType.ElectronicSignature
  - Enums.ExternalReferenceType.DigitalSignature
  - Enums.ExternalReferenceType.RFC9116
- Namespace Spec was enhanced for CycloneDX Specification-1.6 (#1039 via #1041)
  - New const Spec.Spec1dot6
  - New enum member Spec.Version.v1dot6
Build
- Use TypeScript v5.4.5 now, was v5.4.3 (via #1040)

6.4.2 -- 2024-03-21

Build
- Use TypeScript v5.4.3 now, was v5.4.2 (via #1030)
- Use webpack v5.91.0 now, was v5.90.3 (via #1031)

6.4.1 -- 2024-03-18

Documentation
- Rendered (API) docs are hosted on readthedocs (#1027 via #1028)
Build
- Use TypeScript v5.4.2 now, was v5.3.3 (via #1021)

6.4.0 -- 2024-02-26

Added
- Class Models.Metadata got a new property licenses (#1019 via #1020)
- Class Models.Metadata got a new property properties (#1019 via #1020)

6.3.2 -- 2024-02-25

Refactor
- Removed dynamic imports in Node.js-specific XML serializer lookup (#1017 via #1018)
  This should improve compatibility with linkers and bundlers.
Build
- Use webpack v5.90.3 now, was v5.89.0 (via #1008, #1013, #1015)

6.3.1 -- 2023-12-11

Maintenance release

6.3.0 -- 2023-12-11

Dependencies
- Widened optional dependency libxmljs2@^0.31||^0.32||^0.33, was @^0.31||^0.32 (via #1001)

6.2.0 -- 2023-12-11

Changed
- Serialization/normalization guarantees valid URI values (#992 via #996)

6.1.3 -- 2023-12-09

Fixed
- Possible bug in XML serialization of undefined children (via #1000)
Build
- Use TypeScript v5.3.3 now, was v5.3.2 (via #999)

6.1.2 -- 2023-12-02

Maintenance release.

Misc
- Widened dependency spdx-expression-parse@^3.0.1||^4, was @^3.0.1 (via #993)
- CI/CT: test also with Node.js v21 (via #995)

6.1.1 -- 2023-12-01

Maintenance release.

Style
- Apply latest code style guide (via #988, #990)
Build
- Use TypeScript v5.3.2 now, was v5.2.2 (via #990)
- Use ts-loader v9.5.1 now, was v9.5.0 (via #990)

6.1.0 -- 2023-11-05

Added
- Class Models.ExternalReference got a new property hashes (#984 via #985)
- Serializers and ExternalReference-Normalizers will take Models.ExternalReference.hashes into account (#984 via #985)
Build
- Use webpack v5.89.0 now, was v5.88.2 (via #979)
- Use ts-loader v9.5.0 now, was v9.4.4 (via #977)

6.0.0 -- 2023-08-26

BREAKING
- Interface Spec.Protocol was removed from public API (#957 via #958)
  This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
  This change was necessary, so that implementing more spec-features cause no breaking changes.
Build
- Use TypeScript v5.2.2 now, was v5.1.6 (via #966)

5.0.0 -- 2023-08-16

BREAKING
- Interface Spec.Protocol now defines new mandatory methods (via #946)
  This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
Added
- New enum Enums.Lifecycle with corresponding values from CycloneDX Specification-1.5 (#937 via #946)
- New class Models.NamedLifecycle (#937 via #946)
- New class Models.LifecycleRepository (#937 via #946)
- Class Models.Metadata got a new property lifecycles (#937 via #946)
- Serializers and Metadata-Normalizers will take Models.Metadata.lifecycles into account (#937 via #946)
Build
- Use webpack v5.88.2 now, was v5.88.1 (via #933)

4.0.0 -- 2023-07-05

BREAKING
- Usage of this library in web browsers might no longer work out of the box (via #880)
  It might require a bundler/packer for web; see the examples/web/.
  This is only a breaking change if you used this library in a web browser.
Fixed
- Properly exclude external packages when preparing this library for web browsers (#883 via #880)
Examples
- Adjusted and extended examples for usage in web browsers (#883 via #880)
  Removed outdated examples/web/*, added examples/web/parcel & examples/web/webpack.
- Added examples for usage of CDX.Factories.PackageUrlFactory (via #882, #886)
Build
- Use TypeScript v5.1.6 now, was v5.1.5 (via #866)
- Use webpack v5.88.1 now, was v5.88.0 (via #870)
- Apply wider rules for externals in webpack build (#883 via #880)

3.0.0 -- 2023-06-28

Added support for CycloneDX Specification-1.5.
Added functionality regarding CycloneDX BOM-Link.

BREAKING
- Interface Spec.Protocol now defines new mandatory methods (via #843)
  This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
Changed
- Normalizers support CycloneDX Specification-1.5 (#505 via #843)
- Validators support CycloneDX Specification-1.5 (#505 via #843)
- Some models' properties were widened to support CycloneDX BOM-Link (via #856)
Added
- Existing Enums got the new members and values for CycloneDX Specification-1.5 (#505 via #843)
- Namespace Spec was enhanced for CycloneDX Specification-1.5 (#505 via #843)
- Dedicated classes and types for CycloneDX BOM-Link (via #843, #856, #857)

API changes v3 - the details

BREAKING
- Interface Spec.Protocol now defines a new mandatory method supportsVulnerabilityRatingMethod() (via #843)
  This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
Changed
- Namespace Models
  - Method BomRef.compare() accepts every stringable now, was Models.BomRef only (via #856)
  - Class ExternalReference's property url also accepts BomLink now, was URL|string only (via #856)
  - Class Vulnerability.Affect's property ref also accepts BomLinkElement now, was BomRef only (via #856)
- Namespace Serialize.{JSON,XML}.Normalize
  - All classes support CycloneDX Specification-1.5 now (#505 via #843)
  - Methods VulnerabilityRatingNormalizer.normalize() omit unsupported values for Models.Vulnerability.Rating.method (via #843)
    This utilizes the new method Spec.Protocol.supportsVulnerabilityRatingMethod().
- Namespace Validation
  - Classes {Json,JsonStrict,Xml}Validator support CycloneDX Specification-1.5 now (#505 via #843)
Added
- Namespace Enums
  - Enum ComponentType got new members (#505 via #843)
    New: Data, DeviceDriver, MachineLearningModel, Platform
  - Enum ExternalReferenceType got new members (#505 via #843)
    New: AdversaryModel, Attestation, CertificationReport, CodifiedInfrastructure, ComponentAnalysisReport, Configuration, DistributionIntake, DynamicAnalysisReport, Evidence, ExploitabilityStatement, Formulation, Log, MaturityReport, ModelCard, POAM, PentestReport, QualityMetrics, RiskAssessment, RuntimeAnalysisReport, SecurityContact, StaticAnalysisReport, ThreatModel, VulnerabilityAssertion
  - Enum Vulnerability.RatingMethod got new members (#505 via #843)
    New: CVSSv4, SSVC
- Namespace Models
  - New classes BomLinkDocument and BomLinkDocument to represent CycloneDX BOM-Link (via #843, #856, #857)
  - New type BomLink to represent CycloneDX BOM-Link (via #843, #856)
- Namespace Spec
  - Enum Version got new member v1dot5 to reflect CycloneDX Specification-1.5 (#505 via #843)
  - Constant SpecVersionDict got new entry to reflect CycloneDX Specification-1.5 (#505 via #843)
  - New constant Spec1dot5 to reflect CycloneDX Specification-1.5 (#505 via #843)
  - Constants Spec1dot{2,3,4} got a new method supportsVulnerabilityRatingMethod() (via #843)
  - Interface Protocol has a new method supportsVulnerabilityRatingMethod() (via #843)
Misc
- Added functional and integration tests for CycloneDX Specification-1.5 (#505 via #843)
- Added unit tests for CycloneDX BOM-Link (via #843, #856)
- Fetched latest stable schema definition files for offline usage (via #843)
- Improved internal documentation (via #856)
Build
- Use TypeScript v5.1.5 now, was v5.1.3 (via #860)
- Use webpack v5.88.0 now, was v5.86.0 (via #841)

2.1.0 -- 2023-06-10

Changed
- Classes Serialize.Xml.Normalize.Vulnerability*Normalizer are now public available (via #816)
  Previously, only instances were available via Serialize.Xml.Normalize.Factory.makeForVulnerability*().
Build
- Use TypeScript v5.1.3 now, was v5.0.4 (via #790)
- Use webpack v5.86.0 now, was v5.82.1 (via #802)

2.0.0 -- 2023-05-17

Improved license detection.
Finished Vulnerability capabilities.
Added ComponentEvidence capabilities.

BREAKING
- Method Factories.LicenseFactory.makeFromString() was changed in its behavior (#271, #530 via #547)
  It will try to create Models.SpdxLicense if value is eligible, else try to create Models.LicenseExpression if value is eligible, else fall back to Models.NamedLicense.
- Revisited sort and compare:
  - Methods Models.*.compare() may return different numbers than before.
  - Methods Models.*.sorted() may return different orders than before.
- Removed deprecated symbols (#747 via #752)
Changed
- Removed beta state from symbols {Enums,Models}.Vulnerability.* (#164 via #722)
  The structures are defined as stable now.
- Some property/parameter types were widened, enabling the use of Buffer and other data-saving mechanisms (#406, #516 via #753)
Added
- New data models and serialization/normalization for Models.ComponentEvidence (#516 via #753)
- Serializers and Component-Normalizers will take Models.Component.evidence into account (#516 via #753)
- Serializers and Bom-Normalizers will take Models.Bom.vulnerabilities into account (#164 via #722)
Misc
- Internal rework, modernization, refactoring

API changes v2 - the details

BREAKING
- Class Factories.LicenseFactory was modified
  - Renamed method makeDisjunctiveWithId() -> makeSpdxLicense() (#530 via #547)
  - Renamed method makeDisjunctiveWithName() -> makeNamedLicense() (#530 via #547)
- Class Models.LicenseExpression was modified
  - Removed static function isEligibleExpression() (via #547)
    Use Spdx.isValidSpdxLicenseExpression() instead.
  - Constructor no longer throws, when value is not eligible (#530 via #547)
    You may use Factories.LicenseFactory.makeExpression() to mimic the previous behavior.
  - Property expression setter no longer throws, when value is not eligible (#530 via #547)
    You may use Factories.LicenseFactory.makeExpression() to mimic the previous behavior.
- Class Models.SpdxLicense was modified
  - Constructor no longer throws, when value is not eligible (#530 via #547)
    You may use Factories.LicenseFactory.makeSpdxLicense() to mimic the previous behavior.
  - Property id setter no longer throws, when value is not eligible (#530 via #547)
    You may use Factories.LicenseFactory.makeSpdxLicense() to mimic the previous behavior.
- Interface Spec.Protocol now defines a new mandatory property supportsComponentEvidence:boolean (via #753)
- Interface Spec.Protocol now defines a new mandatory property supportsVulnerabilities:boolean (via #722)
- Removed deprecated symbols (#747 via #752)
  - Namespaces {Builders,Factories}.FromPackageJson were removed.
    You may use {Builders,Factories}.FromNodePackageJson instead.
  - Class Models.HashRepository was removed.
    You may use Models.HashDictionary instead.
  - Methods Serialize.{Json,Xml}.Normalize.*.normalizeRepository() were removed.
    You may use Serialize.{Json,Xml}.Normalize.*.normalizeIterable() instead
  - Type alias Types.UrnUuid was removed.
    You may use string instead.
  - Type predicate Types.isUrnUuid() was removed.
Changed
- Class Models.Attachment was modified
  - Property content was widened to be any stringable, was string (#406, #516 via #753)
    This enables the use of Buffer and other data-saving mechanisms.
- Class Models.Component was modified
  - Property copyright was widened to be any stringable, was string (#406, #516 via #753)
    This enables the use of Buffer and other data-saving mechanisms.
- Class Models.Vulnerability.Credits was modified
  - Property organizations is no longer optional (via #722)
    This collection(Set) will always exist, but might be empty.
    This is considered a non-breaking change, as the class was in beta state.
  - Property individuals is no longer optional (via #722)
    This collection(Set) will always exist, but might be empty.
    This is considered a non-breaking change, as the class was in beta state.
Added
- Namespace Models was enhanced
  - Class Component was enhanced
    - New optional property evidence of type Models.ComponentEvidence (#516 via #753)
  - New Class ComponentEvidence (#516 via #753)
  - Namespace Vulnerability was enhanced
    - Class Advisory was enhanced
      - New method compare() (via #722)
    - Class AdvisoryRepository was enhanced
      - New method sorted() (via #722)
      - New method compare() (via #722)
    - Class Affect was enhanced
      - New method compare() (via #722)
    - Class AffectRepository was enhanced
      - New method sorted() (via #722)
      - New method compare() (via #722)
    - Class AffectedSingleVersion was enhanced
      - New method compare() (via #722)
    - Class AffectedVersionRange was enhanced
      - New method compare() (via #722)
    - Class AffectedVersionRepository was enhanced
      - New method sorted() (via #722)
      - New method compare() (via #722)
    - Class Rating was enhanced
      - New method compare() (via #722)
    - Class RatingRepository was enhanced
      - New method sorted() (via #722)
      - New method compare() (via #722)
    - class Reference was enhanced
      - New method compare() (via #722)
    - Class ReferenceRepository was enhanced
      - New method sorted() (via #722)
      - New method compare() (via #722)
    - class Source was enhanced
      - New method compare() (via #722)
    - class Vulnerability was enhanced
      - New method compare() (via #722)
    - Class VulnerabilityRepository was enhanced
      - New method sorted() (via #722)
      - New method compare() (via #722)
- Namespaces Serialize.{Json,Xml}.Normalize were enhanced
  - Class Factory was enhanced
    - New Method makeForComponentEvidence() (#516 via #753)
    - New method makeForVulnerability() (#164 via #722)
    - New method makeForVulnerabilitySource() (#164 via #722)
    - New method makeForVulnerabilityReference() (#164 via #722)
    - New method makeForVulnerabilityRating (#164 via #722)
    - New method makeForVulnerabilityAdvisory (#164 via #722)
    - New method makeForVulnerabilityCredits (#164 via #722)
    - New method makeForVulnerabilityAffect (#164 via #722)
    - New method makeForVulnerabilityAffectedVersion (#164 via #722)
    - New method makeForVulnerabilityAnalysis (#164 via #722)
  - New class ComponentEvidenceNormalizer (#516 via #753)
  - Class OrganizationalEntityNormalizer was enhanced
    - New method normalizeIterable() (via #722)
  - New class VulnerabilityNormalizer (#164 via #722)
  - New class VulnerabilityAdvisoryNormalizer (#164 via #722)
  - New class VulnerabilityAffectNormalizer (#164 via #722)
  - New class VulnerabilityAffectedVersionNormalizer (#164 via #722)
  - New class VulnerabilityAnalysisNormalizer (#164 via #722)
  - New class VulnerabilityCreditsNormalizer (#164 via #722)
  - New class VulnerabilityRatingNormalizer (#164 via #722)
  - New class VulnerabilityReferenceNormalizer (#164 via #722)
  - New class VulnerabilitySourceNormalizer (#164 via #722)
- Namespace Spec
  - Constants Spec1dot{2,3,4} were enhanced
    - New property supportsComponentEvidence:boolean (via #753)
    - New property supportsVulnerabilities:boolean (via #722)
- Namespace Spdx was enhanced
  - New function isValidSpdxLicenseExpression() (#271 via #547)
Misc
- Added dependency spdx-expression-parse@^3.0.1 (via #547)

1.14.0 -- 2023-04-25

Added
- Formal validators for JSON string and XML string (#620 via #652, #691)
  Currently available only for Node.js. Requires optional dependencies.
  - Related new validator classes:
    - Validation.JsonValidator
    - Validation.JsonStrictValidator
    - Validation.XmlValidator
  - Related new error classes:
    - Validation.NotImplementedError
    - Validation.MissingOptionalDependencyError
Build
- Use TypeScript v5.0.4 now, was v4.9.5 (#549 via #644)
- Use webpack v5.80.0 now, was v5.79.0 (via #686)

1.13.3 - 2023-04-05

Fixed
- Serialize.{JSON,XML}.Normalize.LicenseNormalizer.normalizeIterable() now omits invalid license combinations (#602 via #623)
  If there is any Models.LicenseExpression, then this is the only license normalized; otherwise all licenses are normalized.
Docs
- Fixed link to CycloneDX-specification in README (via #617)

1.13.2 - 2023-03-29

Fixed
- Builders.FromNodePackageJson.ComponentBuilder no longer cuts component's name after a slash(/) (#599 via #600)

1.13.1 - 2023-03-28

Docs
- Announce and annotate the generator for BOM's SerialNumber (#588 via #598)

1.13.0 - 2023-03-28

Fixed
- "Bom.serialNumber" data model can have values following the alternative format allowed in CycloneDX XML specification (#588 via #597)
- Serialize.{JSON,XML}.Normalize.BomNormalizer.normalize now omits invalid/unsupported values for serialNumber (#588 via #597)
Changed
- Property Models.Bom.serialNumber is of type string, was type-aliased Types.UrnUuid = string (#588 via #597)
  Also, the setter no longer throws exceptions, since no string format is illegal.
  This is considered a non-breaking behavior change, because the corresponding normalizers assure valid data results.
Added
- Published generator for BOM's SerialNumber: Utils.BomUtility.randomSerialNumber() (#588 via #597)
  The code was donated from cyclonedx-node-npm.
Deprecation
- Type alias Types.UrnUuid = string became deprecated (via #597)
  Use type string instead.
- Function Types.isUrnUuid became deprecated (via #597)

1.12.2 - 2023-03-28

Fixed
- Digesting this library in TypeScript build with ECMA Script module results works as expected, now (via #596)
Docs
- Development-docs are no longer packed with releases (via #572)
Misc
- Added more integration tests in CI (via #596)

1.12.1 - 2023-03-13

Maintenance release.

1.12.0 - 2023-03-02

Docs
- Made it clear, that {Builders,Factories}.{FromNodePackageJson,FromPackageJson}.* functionality is to be run on already normalized structures (#517 via #518)
  Normalization should be done downstream, for example via normalize-package-data.

1.11.0 - 2023-02-02

Added
- New vulnerability-related enums were added in a new namespace Enums.Vulnerability (#164 via #419)
  Release stage is “beta”. These namespace and enums have been released to third-party developers experimentally for the purpose of collecting feedback. These enums should not be used in production, because their contracts may change without notice.
  - AffectStatus
  - AnalysisJustification
  - AnalysisResponse
  - AnalysisState
  - RatingMethod
  - Severity
- New vulnerability-related models were added in a new namespace Models.Vulnerability (#164 via #419)
  Release stage is “beta”. These namespace and models have been released to third-party developers experimentally for the purpose of collecting feedback. These models should not be used in production, because their contracts may change without notice.
  Attention: The models are not yet supported by shipped serializers nor shipped normalizers.
  - Advisory, AdvisoryRepository
  - Affect, AffectRepository, AffectedSingleVersion, AffectedVersionRange, AffectedVersionRepository
  - Analysis
  - Credits
  - Rating, RatingRepository
  - Reference, ReferenceRepository
  - Source
  - Vulnerability, VulnerabilityRepository
- New class Models.OrganizationalEntityRepository to represent a collection of Models.OrganizationalEntity (via #419)
  Additionally, Models.OrganizationalEntity.compare() was implemented.
- New types and related functionality Common Weaknesses Enumerations (CWE) were added (via #419)
  Release stage is “beta”. These types, functions and classes have been released to third-party developers experimentally for the purpose of collecting feedback. These types, functions and classes should not be used in production, because their contracts may change without notice.
  - type Types.CWE
  - runtime validation Types.isCWE()
  - class Types.CweRepository
Docs
- Use TSDoc syntax in TypeScript files, instead of JSDoc (via #318, #453)
Build
- Use TypeScript v4.9.5 now, was v4.9.4 (via #463)
Misc
- Added tests for internal helpers (via #454)
- Use `eslint-config-standard-with-typescript@34.0.0now, was33.0.0` (via #460)

1.10.0 - 2023-01-28

Added
- Typing: Interfaces of models' optional properties are now public API (#439 via #440)
- Ship TypeDoc configuration, so that users can build the documentation on demand (#57 via #436)
Fixed
- XML serializer now properly throws UnsupportedFormatError if it is unsupported by the supplied Spec (via #438)
Misc
- Added tests for internal helpers (via #431)
- Added more internal sortable data types (via #165)
- Fixed type hints in internals (via #432)
- Fixed type refs and links in doc-strings (via #437)
- Slightly improved performance of compare methods when reproducible results were needed (via #433)
- Use `eslint-config-standard-with-typescript@33.0.0now, was23.0.0` (via #382, #423, #445)

1.9.2 - 2022-12-16

Maintenance release.

Docs
- Fix CI/CT shield (badges/shields#8671 via #371)

1.9.1 - 2022-12-10

Maintenance release.

Build
- Use TypeScript v4.9.4 now, was v4.9.3 (via #360)

1.9.0 - 2022-11-19

Changed
- Widened the accepted types for first parameter of all normalizeIterable methods (via #317)
Build
- Use TypeScript v4.9.3 now, was v4.8.4 (via #335)

1.8.0 - 2022-10-31

Added
- Enabled detection for node-package manifest's deprecated licenses format in the node-specific builders (#308 via #309)

1.7.0 - 2022-10-25

Changed
- Shipped TypeScript declarations are usable by TypeScript v3.8 and above now (#291 via #292) Previously the source code was abused as type declarations, so they required a certain version of TypeScript 4.

1.6.0 - 2022-09-31

Changed
- Removed synthetic default imports im TypeScript sources (via #243)
  The resulting JavaScript did not change in functionality.
  Downstream users of the TypeScript sources/definitions might consider this a feature, as they are no longer required to compile with allowSyntheticDefaultImports enabled.
Added
- Documentation and example regarding dependency tree modelling were added in multiple places (via #250)
Build
- No longer enable TypeScript config esModuleInterop & allowSyntheticDefaultImports (via #243)
- Use TypeScript v4.8.4 now, was v4.8.3 (via #246)

1.5.1 - 2022-09-17

Deprecated
- The normalizer methods normalizeRepository will be known as normalizeIterable (via #230)

1.5.0 - 2022-09-17

Deprecated
- The class HashRepository will be known as HashDictionary (via #229)

1.4.2 - 2022-09-10

Maintenance release.

Build
- Use TypeScript v4.8.3 now, was v4.8.2 (via #212)

1.4.1 - 2022-09-09

Maintenance release.

Misc
- Style: imports are sorted, now (via #208)
Dependencies
- Widened the range of requirement packageurl-js to >=0.0.6 <0.0.8 || ^1, was >=0.0.6 <0.0.8 (via #210)

1.4.0 - 2022-09-07

Added
- New class Factories.FromNodePackageJson.PackageUrlFactory that acts like Factories.PackageUrlFactory, but omits PackageUrl's npm-specific "default derived" qualifier values for download_url & vcs_url (#204 via #207)
Build
- Use TypeScript v4.8.2 now, was v4.7.4 (via #190)

1.3.4 - 2022-08-16

Fixed
- Factories.PackageUrlFactory omits empty-string URLs for PackageUrl's qualifiers download_url & vcs_url (via #180)

1.3.3 - 2022-08-16

Fixed
- Improved omission of invalid anyURI when it comes to XML-normalization (#178 via #179)

1.3.2 - 2022-08-15

Fixed
- Serializers render bom-ref values of nested components as unique values, as expected (#175 via #176)
Misc
- Style: improved readability of constructor parameter types (via #166)

1.3.1 - 2022-08-04

Fixed
- JSON- and XML-Normalizer no longer render Models.Component.properties with CycloneDX Specification-1.2 (#152 via #153)
- XML-Normalizer now has the correct order/position of rendered Models.Component.properties (via #153)

1.3.0 - 2022-08-03

Changed
- Use version 9b04a94 of CycloneDX specification for XML and JSON schema validation (via #150)
- Use SPDX license enumeration from version 9b04a94 of CycloneDX specification. (via #150)
Added
- Models for Property and PropertyRepository (via #151)
- JSON- and XML-Normalizer for Models.Property, Models.PropertyRepository (via #151)
- New property Models.Component.properties (via #151)
Build
- Use webpack v5.74.0. now, was v5.73.0 (via #141)

1.2.0 - 2022-08-01

Added
- New getters/properties that represent the corresponding parameters of class constructor (via #145)
  - Builders.FromPackageJson.ComponentBuilder.extRefFactory,
    Builders.FromPackageJson.ComponentBuilder.licenseFactory
  - Builders.FromPackageJson.ToolBuilder.extRefFactory
  - Factories.PackageUrlFactory.type
  - Serialize.BomRefDiscriminator.prefix
  - Serialize.JsonSerializer.normalizerFactory
  - Serialize.XmlBaseSerializer.normalizerFactory,
    Serialize.XmlSerializer.normalizerFactory
- Factory for PackageURL from Models.Component can handle additional data sources, now (via #146)
  - Models.Component.hashes map -> PackageURL.qualifiers.checksum list
  - Models.Component.externalReferences[distribution].url -> PackageURL.qualifiers.download_url
  - Method Factories.PackageUrlFactory.makeFromComponent() got a new optional parameter sort, to indicate whether to go the extra mile and bring hashes and qualifiers in alphabetical order.
    This feature switch is related to reproducible builds.
Deprecated
- The sub-namespace FromPackageJson will be known as FromNodePackageJson (via #148)
  - Factories.FromPackageJson -> Factories.FromNodePackageJson
  - Builders.FromPackageJson -> Builders.FromNodePackageJson

1.1.0 - 2022-07-29

Added
- Support for nested/bundled (sub-)components via Models.Component.components was added, including serialization/normalization of models and impact on dependency graphs rendering (#132 via #136)
- CycloneDX Specification-1.4 made element Models.Component.version optional. Therefore, serialization/normalization with this specification version will no longer render this element if its value is empty (via #137, #138)

1.0.3 - 2022-07-28

Fixed
- Types.isCPE() for CPE2.3 allows escaped(\) chars &"><, as expected (via #134)

1.0.2 - 2022-07-26

Maintenance release.

Dependencies
- Widened the range of requirement packageurl-js to >=0.0.6 <0.0.8, was ^0.0.7 (#130 via #131)

1.0.1 - 2022-07-23

Maintenance release.

Build
- Use TypeScript v4.7.4 now, was v4.6.4 (via #55)
Dependencies
- Raised the requirement of packageurl-js to ^0.0.7, was ^0.0.6 (via #123)

1.0.0 - 2022-06-20

Initial release.

Responsibilities
- Provide a general purpose JavaScript-implementation of CycloneDX for Node.js and WebBrowsers.
- Provide typing for said implementation, so developers and dev-tools can rely on it.
- Provide data models to work with CycloneDX.
- Provide a JSON- and an XML-normalizer, that...
  - supports all shipped data models.
  - respects any injected CycloneDX Specification and generates valid output according to it.
  - can be configured to generate reproducible/deterministic output.
  - can prepare data structures for JSON- and XML-serialization.
- Serialization:
  - Provide a universal JSON-serializer for all target environments.
  - Provide an XML-serializer for all target environments.
  - Support the downstream implementation of custom XML-serializers tailored to specific environments
    by providing an abstract base class that takes care of normalization and BomRef-discrimination.
    This is done, because there is no universal XML support in JavaScript.
Capabilities & Features
- Enums for the following use cases:
  - AttachmentEncoding
  - ComponentScope
  - ComponentType
  - ExternalReferenceType
  - HashAlgorithm
- Data models for the following use cases:
  - Attachment
  - Bom
  - BomRef, BomRefRepository
  - Component, ComponentRepository
  - ExternalReference, ExternalReferenceRepository
  - HashContent, Hash, HashRepository
  - LicenseExpression, NamedLicense, SpdxLicense, LicenseRepository
  - Metadata
  - OrganizationalContact, OrganizationalContactRepository
  - OrganizationalEntity
  - SWID
  - Tool, ToolRepository
- Factories for the following use cases:
  - Create data models from any license descriptor string
  - Specific to Node.js: create data models from PackageJson-like data structures
- Builders for the following use cases:
  - Specific to Node.js: create deep data models from PackageJson-like data structures
- Implementation of the CycloneDX Specification for the following versions:
  - 1.4
  - 1.3
  - 1.2
- Normalizers that convert data models to JSON structures
- Normalizers that convert data models to XML structures
- Universal serializer that converts Bom data models to JSON string
- Serializer that converts Bom data models to XML string:
  - Specific to WebBrowsers: implementation utilizes browser-specific document generators and printers.
  - Specific to Node.js: implementation plugs/requires/utilizes one of the following optional libraries
    - xmlbuilder2