Changelog
All notable changes to this project will be documented in this file.
unreleased
6.8.0 – 2024-05-14
6.7.2 – 2024-05-07
6.7.1 – 2024-05-07
Reverted v6.7.0, back to v6.6.1
Reason: https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7
6.7.0 – 2024-05-07
!! THIS VERSION GOT YANKED !!
Reason: https://github.com/CycloneDX/cyclonedx-javascript-library/security/advisories/GHSA-38gf-rh2w-gmj7
6.6.1 – 2024-05-06
6.6.0 – 2024-04-26
Changed
Added
6.5.1 – 2024-04-16
Dependencies
Bumped the range of optional requirement
ajv-formats
to^3.0.1
, was^2.1.1
(via #1037)
This should fix JSON-validation for time/date.
6.5.0 – 2024-04-11
Added support for *CycloneDX* Specification-1.6.
Changed
Added
Existing
Enums
got new members and values for CycloneDX Specification-1.6 (#1039 via #1041)Enums.ComponentType.CryptographicAsset
Enums.ExternalReferenceType.SourceDistribution
Enums.ExternalReferenceType.ElectronicSignature
Enums.ExternalReferenceType.DigitalSignature
Enums.ExternalReferenceType.RFC9116
Namespace
Spec
was enhanced for CycloneDX Specification-1.6 (#1039 via #1041)New const
Spec.Spec1dot6
New enum member
Spec.Version.v1dot6
Build
Use TypeScript
v5.4.5
now, wasv5.4.3
(via #1040)
6.4.2 – 2024-03-21
6.4.1 – 2024-03-18
Documentation
Rendered (API) docs are hosted on readthedocs (#1027 via #1028)
Build
Use TypeScript
v5.4.2
now, wasv5.3.3
(via #1021)
6.4.0 – 2024-02-26
6.3.2 – 2024-02-25
6.3.1 – 2023-12-11
Maintenance release
6.3.0 – 2023-12-11
Dependencies
Widened optional dependency
libxmljs2@^0.31||^0.32||^0.33
, was@^0.31||^0.32
(via #1001)
6.2.0 – 2023-12-11
6.1.3 – 2023-12-09
6.1.2 – 2023-12-02
Maintenance release.
6.1.1 – 2023-12-01
Maintenance release.
6.1.0 – 2023-11-05
6.0.0 – 2023-08-26
BREAKING
Build
Use TypeScript
v5.2.2
now, wasv5.1.6
(via #966)
5.0.0 – 2023-08-16
BREAKING
Interface
Spec.Protocol
now defines new mandatory methods (via #946)
This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
Added
Build
Use webpack
v5.88.2
now, wasv5.88.1
(via #933)
4.0.0 – 2023-07-05
BREAKING
Usage of this library in web browsers might no longer work out of the box (via #880)
It might require a bundler/packer for web; see theexamples/web/
.
This is only a breaking change if you used this library in a web browser.
Fixed
Examples
Build
3.0.0 – 2023-06-28
Added support for *CycloneDX* Specification-1.5.
Added functionality regarding *CycloneDX* BOM-Link.
BREAKING
Interface
Spec.Protocol
now defines new mandatory methods (via #843)
This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
Changed
Added
API changes v3 - the details
BREAKING
Interface
Spec.Protocol
now defines a new mandatory methodsupportsVulnerabilityRatingMethod()
(via #843)
This is only a breaking change if you custom-implemented this TypeScript interface downstream; internal usage is non-breaking.
Changed
Namespace
Models
Namespace
Serialize.{JSON,XML}.Normalize
Namespace
Validation
Added
Namespace
Enums
Enum
ComponentType
got new members (#505 via #843)
New:Data
,DeviceDriver
,MachineLearningModel
,Platform
Enum
ExternalReferenceType
got new members (#505 via #843)
New:AdversaryModel
,Attestation
,CertificationReport
,CodifiedInfrastructure
,ComponentAnalysisReport
,Configuration
,DistributionIntake
,DynamicAnalysisReport
,Evidence
,ExploitabilityStatement
,Formulation
,Log
,MaturityReport
,ModelCard
,POAM
,PentestReport
,QualityMetrics
,RiskAssessment
,RuntimeAnalysisReport
,SecurityContact
,StaticAnalysisReport
,ThreatModel
,VulnerabilityAssertion
Enum
Vulnerability.RatingMethod
got new members (#505 via #843)
New:CVSSv4
,SSVC
Namespace
Models
Namespace
Spec
Enum
Version
got new memberv1dot5
to reflect CycloneDX Specification-1.5 (#505 via #843)Constant
SpecVersionDict
got new entry to reflect CycloneDX Specification-1.5 (#505 via #843)New constant
Spec1dot5
to reflect CycloneDX Specification-1.5 (#505 via #843)Constants
Spec1dot{2,3,4}
got a new methodsupportsVulnerabilityRatingMethod()
(via #843)Interface
Protocol
has a new methodsupportsVulnerabilityRatingMethod()
(via #843)
Misc
Build
2.1.0 – 2023-06-10
Changed
Classes
Serialize.Xml.Normalize.Vulnerability*Normalizer
are now public available (via #816)
Previously, only instances were available viaSerialize.Xml.Normalize.Factory.makeForVulnerability*()
.
Build
2.0.0 – 2023-05-17
Improved license detection.
Finished Vulnerability
capabilities.
Added ComponentEvidence
capabilities.
BREAKING
Method
Factories.LicenseFactory.makeFromString()
was changed in its behavior (#271, #530 via #547)
It will try to createModels.SpdxLicense
if value is eligible, else try to createModels.LicenseExpression
if value is eligible, else fall back toModels.NamedLicense
.Revisited sort and compare:
Methods
Models.*.compare()
may return different numbers than before.Methods
Models.*.sorted()
may return different orders than before.
Changed
Added
Misc
Internal rework, modernization, refactoring
API changes v2 - the details
BREAKING
Class
Factories.LicenseFactory
was modifiedClass
Models.LicenseExpression
was modifiedRemoved static function
isEligibleExpression()
(via #547)
UseSpdx.isValidSpdxLicenseExpression()
instead.Constructor no longer throws, when value is not eligible (#530 via #547)
You may useFactories.LicenseFactory.makeExpression()
to mimic the previous behavior.Property
expression
setter no longer throws, when value is not eligible (#530 via #547)
You may useFactories.LicenseFactory.makeExpression()
to mimic the previous behavior.
Class
Models.SpdxLicense
was modifiedConstructor no longer throws, when value is not eligible (#530 via #547)
You may useFactories.LicenseFactory.makeSpdxLicense()
to mimic the previous behavior.Property
id
setter no longer throws, when value is not eligible (#530 via #547)
You may useFactories.LicenseFactory.makeSpdxLicense()
to mimic the previous behavior.
Interface
Spec.Protocol
now defines a new mandatory propertysupportsComponentEvidence:boolean
(via #753)Interface
Spec.Protocol
now defines a new mandatory propertysupportsVulnerabilities:boolean
(via #722)Removed deprecated symbols (#747 via #752)
Namespaces
{Builders,Factories}.FromPackageJson
were removed.
You may use{Builders,Factories}.FromNodePackageJson
instead.Class
Models.HashRepository
was removed.
You may useModels.HashDictionary
instead.Methods
Serialize.{Json,Xml}.Normalize.*.normalizeRepository()
were removed.
You may useSerialize.{Json,Xml}.Normalize.*.normalizeIterable()
insteadType alias
Types.UrnUuid
was removed.
You may usestring
instead.Type predicate
Types.isUrnUuid()
was removed.
Changed
Class
Models.Attachment
was modifiedClass
Models.Component
was modifiedClass
Models.Vulnerability.Credits
was modifiedProperty
organizations
is no longer optional (via #722)
This collection(Set
) will always exist, but might be empty.
This is considered a non-breaking change, as the class was in beta state.Property
individuals
is no longer optional (via #722)
This collection(Set
) will always exist, but might be empty.
This is considered a non-breaking change, as the class was in beta state.
Added
Namespace
Models
was enhancedClass
Component
was enhancedNamespace
Vulnerability
was enhancedClass
Advisory
was enhancedNew method
compare()
(via #722)
Class
AdvisoryRepository
was enhancedClass
Affect
was enhancedNew method
compare()
(via #722)
Class
AffectRepository
was enhancedClass
AffectedSingleVersion
was enhancedNew method
compare()
(via #722)
Class
AffectedVersionRange
was enhancedNew method
compare()
(via #722)
Class
AffectedVersionRepository
was enhancedClass
Rating
was enhancedNew method
compare()
(via #722)
Class
RatingRepository
was enhancedclass
Reference
was enhancedNew method
compare()
(via #722)
Class
ReferenceRepository
was enhancedclass
Source
was enhancedNew method
compare()
(via #722)
class
Vulnerability
was enhancedNew method
compare()
(via #722)
Class
VulnerabilityRepository
was enhanced
Namespaces
Serialize.{Json,Xml}.Normalize
were enhancedNamespace
Spec
Namespace
Spdx
was enhanced
Misc
Added dependency
spdx-expression-parse@^3.0.1
(via #547)
1.14.0 – 2023-04-25
Added
Formal validators for JSON string and XML string (#620 via #652, #691)
Currently available only for Node.js. Requires optional dependencies.Related new validator classes:
Validation.JsonValidator
Validation.JsonStrictValidator
Validation.XmlValidator
Related new error classes:
Validation.NotImplementedError
Validation.MissingOptionalDependencyError
Build
1.13.3 - 2023-04-05
Fixed
Docs
Fixed link to CycloneDX-specification in README (via #617)
1.13.2 - 2023-03-29
1.13.1 - 2023-03-28
1.13.0 - 2023-03-28
Fixed
Changed
Property
Models.Bom.serialNumber
is of typestring
, was type-aliasedTypes.UrnUuid = string
(#588 via #597)
Also, the setter no longer throws exceptions, since no string format is illegal.
This is considered a non-breaking behavior change, because the corresponding normalizers assure valid data results.
Added
Published generator for BOM’s SerialNumber:
Utils.BomUtility.randomSerialNumber()
(#588 via #597)
The code was donated from cyclonedx-node-npm.
Deprecation
1.12.2 - 2023-03-28
1.12.1 - 2023-03-13
Maintenance release.
1.12.0 - 2023-03-02
Docs
Made it clear, that
{Builders,Factories}.{FromNodePackageJson,FromPackageJson}.*
functionality is to be run on already normalized structures (#517 via #518)
Normalization should be done downstream, for example via ``normalize-package-data` <https://www.npmjs.com/package/normalize-package-data>`_.
1.11.0 - 2023-02-02
Added
New vulnerability-related enums were added in a new namespace
Enums.Vulnerability
(#164 via #419)
Release stage is “beta”. These namespace and enums have been released to third-party developers experimentally for the purpose of collecting feedback. These enums should not be used in production, because their contracts may change without notice.AffectStatus
AnalysisJustification
AnalysisResponse
AnalysisState
RatingMethod
Severity
New vulnerability-related models were added in a new namespace
Models.Vulnerability
(#164 via #419)
Release stage is “beta”. These namespace and models have been released to third-party developers experimentally for the purpose of collecting feedback. These models should not be used in production, because their contracts may change without notice.
Attention: The models are not yet supported by shipped serializers nor shipped normalizers.Advisory
,AdvisoryRepository
Affect
,AffectRepository
,AffectedSingleVersion
,AffectedVersionRange
,AffectedVersionRepository
Analysis
Credits
Rating
,RatingRepository
Reference
,ReferenceRepository
Source
Vulnerability
,VulnerabilityRepository
New class
Models.OrganizationalEntityRepository
to represent a collection ofModels.OrganizationalEntity
(via #419)
Additionally,Models.OrganizationalEntity.compare()
was implemented.New types and related functionality Common Weaknesses Enumerations (CWE) were added (via #419)
Release stage is “beta”. These types, functions and classes have been released to third-party developers experimentally for the purpose of collecting feedback. These types, functions and classes should not be used in production, because their contracts may change without notice.type
Types.CWE
runtime validation
Types.isCWE()
class
Types.CweRepository
Docs
Build
Use TypeScript
v4.9.5
now, wasv4.9.4
(via #463)
Misc
1.10.0 - 2023-01-28
Added
Fixed
XML serializer now properly throws
UnsupportedFormatError
if it is unsupported by the supplied Spec (via #438)
Misc
Added tests for internal helpers (via #431)
Added more internal sortable data types (via #165)
Fixed type hints in internals (via #432)
Fixed type refs and links in doc-strings (via #437)
Slightly improved performance of compare methods when reproducible results were needed (via #433)
Use
eslint-config-standard-with-typescript@33.0.0
now, was23.0.0
(via #382, #423, #445)
1.9.2 - 2022-12-16
Maintenance release.
Docs
Fix CI/CT shield (badges/shields#8671 via #371)
1.9.1 - 2022-12-10
Maintenance release.
Build
Use TypeScript
v4.9.4
now, wasv4.9.3
(via #360)
1.9.0 - 2022-11-19
1.8.0 - 2022-10-31
1.7.0 - 2022-10-25
1.6.0 - 2022-09-31
Changed
Removed synthetic default imports im TypeScript sources (via #243)
The resulting JavaScript did not change in functionality.
Downstream users of the TypeScript sources/definitions might consider this a feature, as they are no longer required to compile withallowSyntheticDefaultImports
enabled.
Added
Documentation and example regarding dependency tree modelling were added in multiple places (via #250)
Build
1.5.1 - 2022-09-17
Deprecated
The normalizer methods
normalizeRepository
will be known asnormalizeIterable
(via #230)
1.5.0 - 2022-09-17
Deprecated
The class
HashRepository
will be known asHashDictionary
(via #229)
1.4.2 - 2022-09-10
Maintenance release.
Build
Use TypeScript
v4.8.3
now, wasv4.8.2
(via #212)
1.4.1 - 2022-09-09
Maintenance release.
1.4.0 - 2022-09-07
1.3.4 - 2022-08-16
Fixed
Factories.PackageUrlFactory
omits empty-string URLs for PackageUrl’s qualifiersdownload_url
&vcs_url
(via #180)
1.3.3 - 2022-08-16
1.3.2 - 2022-08-15
1.3.1 - 2022-08-04
Fixed
JSON- and XML-Normalizer no longer render
Models.Component.properties
with *CycloneDX* Specification-1.2 (#152 via #153)XML-Normalizer now has the correct order/position of rendered
Models.Component.properties
(via #153)
1.3.0 - 2022-08-03
Changed
Use version 9b04a94 of CycloneDX specification for XML and JSON schema validation (via #150)
Use SPDX license enumeration from version 9b04a94 of CycloneDX specification. (via #150)
Added
Build
Use webpack
v5.74.0.
now, wasv5.73.0
(via #141)
1.2.0 - 2022-08-01
Added
New getters/properties that represent the corresponding parameters of class constructor (via #145)
Builders.FromPackageJson.ComponentBuilder.extRefFactory
,
Builders.FromPackageJson.ComponentBuilder.licenseFactory
Builders.FromPackageJson.ToolBuilder.extRefFactory
Factories.PackageUrlFactory.type
Serialize.BomRefDiscriminator.prefix
Serialize.JsonSerializer.normalizerFactory
Serialize.XmlBaseSerializer.normalizerFactory
,
Serialize.XmlSerializer.normalizerFactory
Factory for
PackageURL
fromModels.Component
can handle additional data sources, now (via #146)Models.Component.hashes
map ->PackageURL.qualifiers.checksum
listModels.Component.externalReferences[distribution].url
->PackageURL.qualifiers.download_url
Method
Factories.PackageUrlFactory.makeFromComponent()
got a new optional parametersort
, to indicate whether to go the extra mile and bring hashes and qualifiers in alphabetical order.
This feature switch is related to reproducible builds.
Deprecated
The sub-namespace
FromPackageJson
will be known asFromNodePackageJson
(via #148)Factories.FromPackageJson
->Factories.FromNodePackageJson
Builders.FromPackageJson
->Builders.FromNodePackageJson
1.1.0 - 2022-07-29
Added
Support for nested/bundled (sub-)components via
Models.Component.components
was added, including serialization/normalization of models and impact on dependency graphs rendering (#132 via #136)*CycloneDX* Specification-1.4 made element
Models.Component.version
optional. Therefore, serialization/normalization with this specification version will no longer render this element if its value is empty (via #137, #138)
1.0.3 - 2022-07-28
Fixed
Types.isCPE()
for CPE2.3 allows escaped(\
) chars&"><
, as expected (via #134)
1.0.2 - 2022-07-26
Maintenance release.
1.0.1 - 2022-07-23
Maintenance release.
1.0.0 - 2022-06-20
Initial release.
Responsibilities
Provide a general purpose JavaScript-implementation of *CycloneDX* for Node.js and WebBrowsers.
Provide typing for said implementation, so developers and dev-tools can rely on it.
Provide data models to work with CycloneDX.
Provide a JSON- and an XML-normalizer, that…
supports all shipped data models.
respects any injected *CycloneDX* Specification and generates valid output according to it.
can be configured to generate reproducible/deterministic output.
can prepare data structures for JSON- and XML-serialization.
Serialization:
Provide a universal JSON-serializer for all target environments.
Provide an XML-serializer for all target environments.
Support the downstream implementation of custom XML-serializers tailored to specific environments
by providing an abstract base class that takes care of normalization and BomRef-discrimination.
This is done, because there is no universal XML support in JavaScript.
Capabilities & Features
Enums for the following use cases:
AttachmentEncoding
ComponentScope
ComponentType
ExternalReferenceType
HashAlgorithm
Data models for the following use cases:
Attachment
Bom
BomRef
,BomRefRepository
Component
,ComponentRepository
ExternalReference
,ExternalReferenceRepository
HashContent
,Hash
,HashRepository
LicenseExpression
,NamedLicense
,SpdxLicense
,LicenseRepository
Metadata
OrganizationalContact
,OrganizationalContactRepository
OrganizationalEntity
SWID
Tool
,ToolRepository
Factories for the following use cases:
Create data models from any license descriptor string
Specific to Node.js: create data models from PackageJson-like data structures
Builders for the following use cases:
Specific to Node.js: create deep data models from PackageJson-like data structures
Implementation of the *CycloneDX* Specification for the following versions:
1.4
1.3
1.2
Normalizers that convert data models to JSON structures
Normalizers that convert data models to XML structures
Universal serializer that converts
Bom
data models to JSON stringSerializer that converts
Bom
data models to XML string:Specific to WebBrowsers: implementation utilizes browser-specific document generators and printers.
Specific to Node.js: implementation plugs/requires/utilizes one of the following optional libraries