bom.vulnerabilities model

[thepwagner]

Add Vulnerabilties to the Bom model, including enums as needed.

The implementation is styled after the existing Component implementation and tests.

this is part of #164

[jkowalleck]

Thank you for this feature, @thepwagner

Review will take a while, did a part of it already.

Are you planning on implementing the JSON- and XML normalizer, too?

[jkowalleck]

partial review.

please find critical remarks with an ❌ .
other remarks are discussion items.

[jkowalleck]

rename to ImpactAnalysisResponsesType as the XML schema defines?

[thepwagner]

I switched to ImpactAnalysisResponse as this was the most consistent with the JSON schema, even if the JSON schema doesn't give this enum a standalone definition.

Please advise if you'd prefer a different name.

[thepwagner]

@jkowalleck thank you for the quick initial feedback!
I've addressed feedback and resolved the threads I think are resolved - please advise if you'd prefer to resolve after verifying the fixes.

• I made all suggested renames, biased towards the naming of the JSON schema.
• I've extended the compare() methods to consider all fields, including nested sets like Set<URL | string> or SortableSet<VulnerabilityReference>. This meant adding a generic SortableSet.compare()
• Using the JSON schema for functional tests is cool! I extended the name-mapping helper to support snake_case since there was no feedback on the naming of enum values in the first review.

I was not intending to implement the normalizers.

[jkowalleck]

please find critical chaneg requests marked with ❌ '
everything else is a discussion item.

everything is just my opinionated view, lets discuss :)

[jkowalleck]

re: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/163/files/542767bab211a12fa71d209e88978e2b4f49c3bf#r939618319

👍 lets keep it as enum AffectedStatus.

alternative enum ImpactAnalysisAffectedStatus might get in conflict with enum ImpactAnalysisState which already has a value NotAffected.

[jkowalleck]

❌ why sort upfront?
Could you add an in-code comment to explain?

[jkowalleck]

❌ better: for ( const i=0 ; i < thisSorted.length ; ++i ) {}

[jkowalleck]

👍

[jkowalleck]

i liked the old description better.
I understand the need for more description.

❌ better go with:

UpperCamelCase a string ("white space example", "snake_case_example" or "kebab-case-example" )

❌ when on it, lets replace not only _ but also -(kebab-case)

[jkowalleck]

❌ repositories must not be optiional, but they may be empty

[jkowalleck]

❌ repositories must not be optiional, but they may be empty

[jkowalleck]

this appears to be like an insufficient comparison.
if this is enough to properly compare, then please add a in-code comment that explains why.

[jkowalleck]

❌ unnecessary null-comparisson

[jkowalleck]

❌ use type refenrences ala VulnerabilitySource['url']

[thepwagner]

The changes remaining on this PR are far removed from my initial use case: as you can tell I'm not a strong TypeScript developer, and all I wanted was the Bom model object to have a []Vulnerability field that I could use.

I appreciate the value that your normalization brings, but the added complexity means contributing to this library is outside of my ability. If anyone else wants to pick this up for the basis of the implementation, please do!

@jkowalleck thank you for the reviews and sorry I couldn't see this through.

[jkowalleck]

thank you for all your work, @thepwagner

could you open a pull request with your latest things and have it target the "feature/vulnerabilities" branch ?
Plan is to merge your models in there, fine tune them a bit and merge them into master for an early release.
I would love to keep you involved, @thepwagner , so when a beta-release of the feature is published, you could check if it suites your needs.

Then, in a later feature, the normalizers and serializers can be developed and be released separately.

This way you (and others) will have the models for use soon,
and will not be blocked by normalization details.

[jkowalleck]

work continues in #419