HISTORY.md

Changelog

All notable changes to this project will be documented in this file.

unreleased

• Added
  • Formal validators for JSON string and XML string (#620 via #652)
    Currently available only for Node.js. Requires optional dependencies.
    • Related new validator classes:
      • Validation.JsonValidator
      • Validation.JsonStrictValidator
      • Validation.XmlValidator
    • Related new error classes:
      • Validation.ValidationError
      • Validation.NotImplementedError
      • Validation.MissingOptionalDependencyError
• Build
  • Use TypeScript v5.0.4 now, was v4.9.5. (#549 via #644)
  • Use Webpack v5.80.0 now, was 5.79.0. (via #686)

1.13.3 - 2023-04-05

• Fixed
  • Serialize.{JSON,XML}.Normalize.LicenseNormalizer.normalizeIterable() now omits invalid license combinations (#602 via #623)
    If there is any Models.LicenseExpression, then this is the only license normalized; otherwise all licenses are normalized.
• Docs
  • Fixed link to CycloneDX-specification in README (via #617)

1.13.2 - 2023-03-29

• Fixed
  • Builders.FromNodePackageJson.ComponentBuilder no longer cuts component's name after a slash(/) (#599 via #600)

1.13.1 - 2023-03-28

• Docs
  • Announce and annotate the generator for BOM's SerialNumber (#588 via #598)

1.13.0 - 2023-03-28

• Fixed
  • "Bom.serialNumber" data model can have values following the alternative format allowed in CycloneDX XML specification (#588 via #597)
  • Serialize.{JSON,XML}.Normalize.BomNormalizer.normalize now omits invalid/unsupported values for serialNumber (#588 via #597)
• Changed
  • Property Models.Bom.serialNumber is of type string, was type-aliased Types.UrnUuid = string (#588 via #597)
    Also, the setter no longer throws exceptions, since no string format is illegal.
    This is considered a non-breaking behavior change, because the corresponding normalizers assure valid data results.
• Added
  • Published generator for BOM's SerialNumber: Utils.BomUtility.randomSerialNumber() (#588 via #597)
    The code was donated from cyclonedx-node-npm.
• Deprecation
  • Type alias Types.UrnUuid = string became deprecated (via #597)
    Use type string instead.
  • Function Types.isUrnUuid became deprecated (via #597)

1.12.2 - 2023-03-28

• Fixed
  • Digesting this library in TypeScript build with ECMA Script module results works as expected, now (via #596)
• Docs
  • Development-docs are no longer packed with releases (via #572)
• Misc
  • Added more integration tests in CI (via #596)

1.12.1 - 2023-03-13

Maintenance release.

1.12.0 - 2023-03-02

• Docs
  • Made it clear, that {Builders,Factories}.{FromNodePackageJson,FromPackageJson}.* functionality is to be run on already normalized structures. (#517 via #518)
    Normalization should be done downstream, for example via normalize-package-data.

1.11.0 - 2023-02-02

• Added
  • New vulnerability-related enums were added in a new namespace Enums.Vulnerability (#164 via #419)
    Release stage is “beta”. These namespace and enums have been released to third-party developers experimentally for the purpose of collecting feedback. These enums should not be used in production, because their contracts may change without notice.
    • AffectStatus
    • AnalysisJustification
    • AnalysisResponse
    • AnalysisState
    • RatingMethod
    • Severity
  • New vulnerability-related models were added in a new namespace Models.Vulnerability (#164 via #419)
    Release stage is “beta”. These namespace and models have been released to third-party developers experimentally for the purpose of collecting feedback. These models should not be used in production, because their contracts may change without notice.
    Attention: The models are not yet supported by shipped serializers nor shipped normalizers.
    • Advisory, AdvisoryRepository
    • Affect, AffectRepository, AffectedSingleVersion, AffectedVersionRange, AffectedVersionRepository
    • Analysis
    • Credits
    • Rating, RatingRepository
    • Reference, ReferenceRepository
    • Source
    • Vulnerability, VulnerabilityRepository
  • New class Models.OrganizationalEntityRepository to represent a collection of Models.OrganizationalEntity (via #419)
    Additionally, Models.OrganizationalEntity.compare() was implemented.
  • New types and related functionality Common Weaknesses Enumerations (CWE) were added (via #419)
    Release stage is “beta”. These types, functions and classes have been released to third-party developers experimentally for the purpose of collecting feedback. These types, functions and classes should not be used in production, because their contracts may change without notice.
    • type Types.CWE
    • runtime validation Types.isCWE()
    • class Types.CweRepository
• Docs
  • Use TSDoc syntax in TypeScript files, instead of JSDoc (via #318, #453)
• Build
  • Use TypeScript v4.9.5 now, was v4.9.4. (via #463)
• Misc
  • Added tests for internal helpers (via #454)
  • Use [email protected] now, was 33.0.0 (via #460)

1.10.0 - 2023-01-28

• Added
  • Typing: Interfaces of models' optional properties are now public API (#439 via #440)
  • Ship TypeDoc configuration, so that users can build the documentation on demand (#57 via #436)
• Fixed
  • XML serializer now properly throws UnsupportedFormatError if it is unsupported by the supplied Spec (via #438)
• Misc
  • Added tests for internal helpers (via #431)
  • Added more internal sortable data types (via #165)
  • Fixed type hints in internals (via #432)
  • Fixed type refs and links in doc-strings (via #437)
  • Slightly improved performance of compare methods when reproducible results were needed (via #433)
  • Use [email protected] now, was 23.0.0 (via #382, #423, #445)

1.9.2 - 2022-12-16

Maintenance release.

• Docs
  • Fix CI/CT shield (badges/shields#8671 via #371)

1.9.1 - 2022-12-10

Maintenance release.

• Build
  • Use TypeScript v4.9.4 now, was v4.9.3. (via #360)

1.9.0 - 2022-11-19

• Changed
  • Widened the accepted types for first parameter of all normalizeIterable methods (via #317)
• Build
  • Use TypeScript v4.9.3 now, was v4.8.4. (via #335)

1.8.0 - 2022-10-31

• Added
  • Enabled detection for node-package manifest's deprecated licenses format in the node-specific builders (#308 via #309)

1.7.0 - 2022-10-25

• Changed
  • Shipped TypeScript declarations are usable by TypeScript v3.8 and above now. (#291 via #292) Previously the source code was abused as type declarations, so they required a certain version of TypeScript 4.

1.6.0 - 2022-09-31

• Changed
  • Removed synthetic default imports im TypeScript sources. (via #243)
    The resulting JavaScript did not change in functionality.
    Downstream users of the TypeScript sources/definitions might consider this a feature, as they are no longer required to compile with allowSyntheticDefaultImports enabled.
• Added
  • Documentation and example regarding dependency tree modelling were added in multiple places. (via #250)
• Build
  • No longer enable TypeScript config esModuleInterop & allowSyntheticDefaultImports. (via #243)
  • Use TypeScript v4.8.4 now, was v4.8.3. (via #246)

1.5.1 - 2022-09-17

• Deprecated
  • The normalizer methods normalizeRepository will be known as normalizeIterable. (via #230)

1.5.0 - 2022-09-17

• Deprecated
  • The class HashRepository will be known as HashDictionary. (via #229)

1.4.2 - 2022-09-10

Maintenance release.

• Build
  • Use TypeScript v4.8.3 now, was v4.8.2. (via #212)

1.4.1 - 2022-09-09

Maintenance release.

• Misc
  • Style: imports are sorted, now. (via #208)
• Dependencies
  • Widened the range of requirement packageurl-js to >=0.0.6 <0.0.8 || ^1, was >=0.0.6 <0.0.8. (via #210)

1.4.0 - 2022-09-07

• Added
  • New class Factories.FromNodePackageJson.PackageUrlFactory that acts like Factories.PackageUrlFactory, but omits PackageUrl's npm-specific "default derived" qualifier values for download_url & vcs_url. (#204 via #207)
• Build
  • Use TypeScript v4.8.2 now, was v4.7.4. (via #190)

1.3.4 - 2022-08-16

• Fixed
  • Factories.PackageUrlFactory omits empty-string URLs for PackageUrl's qualifiers download_url & vcs_url. (via #180)

1.3.3 - 2022-08-16

• Fixed
  • Improved omission of invalid anyURI when it comes to XML-normalization. (#178 via #179)

1.3.2 - 2022-08-15

• Fixed
  • Serializers render bom-ref values of nested components as unique values, as expected. (#175 via #176)
• Misc
  • Style: improved readability of constructor parameter types. (via #166)

1.3.1 - 2022-08-04

• Fixed
  • JSON- and XML-Normalizer no longer render Models.Component.properties with CycloneDX Specification-1.2. (#152 via #153)
  • XML-Normalizer now has the correct order/position of rendered Models.Component.properties. (via #153)

1.3.0 - 2022-08-03

• Changed
  • Use version 9b04a94 of CycloneDX specification for XML and JSON schema validation. (via #150)
  • Use SPDX license enumeration from version 9b04a94 of CycloneDX specification. (via #150)
• Added
  • Models for Property and PropertyRepository. (via #151)
  • JSON- and XML-Normalizer for Models.Property, Models.PropertyRepository. (via #151)
  • New property Models.Component.properties. (via #151)
• Build
  • Use Webpack v5.74.0. now, was 5.73.0. (via #141)

1.2.0 - 2022-08-01

• Added
  • New getters/properties that represent the corresponding parameters of class constructor. (via #145)
    • Builders.FromPackageJson.ComponentBuilder.extRefFactory,
      Builders.FromPackageJson.ComponentBuilder.licenseFactory
    • Builders.FromPackageJson.ToolBuilder.extRefFactory
    • Factories.PackageUrlFactory.type
    • Serialize.BomRefDiscriminator.prefix
    • Serialize.JsonSerializer.normalizerFactory
    • Serialize.XmlBaseSerializer.normalizerFactory,
      Serialize.XmlSerializer.normalizerFactory
  • Factory for PackageURL from Models.Component can handle additional data sources, now. (via #146)
    • Models.Component.hashes map -> PackageURL.qualifiers.checksum list
    • Models.Component.externalReferences[distribution].url -> PackageURL.qualifiers.download_url
    • Method Factories.PackageUrlFactory.makeFromComponent() got a new optional parameter sort, to indicate whether to go the extra mile and bring hashes and qualifiers in alphabetical order.
      This feature switch is related to reproducible builds.
• Deprecated
  • The sub-namespace FromPackageJson will be known as FromNodePackageJson. (via #148)
    • Factories.FromPackageJson -> Factories.FromNodePackageJson
    • Builders.FromPackageJson -> Builders.FromNodePackageJson

1.1.0 - 2022-07-29

• Added
  • Support for nested/bundled (sub-)components via Models.Component.components was added, including serialization/normalization of models and impact on dependency graphs rendering. (#132 via #136)
  • CycloneDX Specification-1.4 made element Models.Component.version optional. Therefore, serialization/normalization with this specification version will no longer render this element if its value is empty. (via #137, #138)

1.0.3 - 2022-07-28

• Fixed
  • Types.isCPE() for CPE2.3 allows escaped(\) chars &"><, as expected. (via #134)

1.0.2 - 2022-07-26

Maintenance release.

• Dependencies
  • Widened the range of requirement packageurl-js to >=0.0.6 <0.0.8, was ^0.0.7. (#130 via #131)

1.0.1 - 2022-07-23

Maintenance release.

• Build
  • Use TypeScript v4.7.4 now, was v4.6.4. (via #55)
• Dependencies
  • Raised the requirement of packageurl-js to ^0.0.7, was ^0.0.6. (via #123)

1.0.0 - 2022-06-20

Initial release.

• Responsibilities
  • Provide a general purpose JavaScript-implementation of CycloneDX for Node.js and WebBrowsers.
  • Provide typing for said implementation, so developers and dev-tools can rely on it.
  • Provide data models to work with CycloneDX.
  • Provide a JSON- and an XML-normalizer, that...
    • supports all shipped data models.
    • respects any injected CycloneDX Specification and generates valid output according to it.
    • can be configured to generate reproducible/deterministic output.
    • can prepare data structures for JSON- and XML-serialization.
  • Serialization:
    • Provide a universal JSON-serializer for all target environments.
    • Provide an XML-serializer for all target environments.
    • Support the downstream implementation of custom XML-serializers tailored to specific environments
      by providing an abstract base class that takes care of normalization and BomRef-discrimination.
      This is done, because there is no universal XML support in JavaScript.
• Capabilities & Features
  • Enums for the following use cases:
    • AttachmentEncoding
    • ComponentScope
    • ComponentType
    • ExternalReferenceType
    • HashAlgorithm
  • Data models for the following use cases:
    • Attachment
    • Bom
    • BomRef, BomRefRepository
    • Component, ComponentRepository
    • ExternalReference, ExternalReferenceRepository
    • HashContent, Hash, HashRepository
    • LicenseExpression, NamedLicense, SpdxLicense, LicenseRepository
    • Metadata
    • OrganizationalContact, OrganizationalContactRepository
    • OrganizationalEntity
    • SWID
    • Tool, ToolRepository
  • Factories for the following use cases:
    • Create data models from any license descriptor string
    • Specific to Node.js: create data models from PackageJson-like data structures
  • Builders for the following use cases:
    • Specific to Node.js: create deep data models from PackageJson-like data structures
  • Implementation of the CycloneDX Specification for the following versions:
    • 1.4
    • 1.3
    • 1.2
  • Normalizers that convert data models to JSON structures
  • Normalizers that convert data models to XML structures
  • Universal serializer that converts Bom data models to JSON string
  • Serializer that converts Bom data models to XML string:
    • Specific to WebBrowsers: implementation utilizes browser-specific document generators and printers.
    • Specific to Node.js: implementation plugs/requires/utilizes one of the following optional libraries
      • xmlbuilder2