bom.vulnerabilities model

src/enums/index.ts

@@ -22,3 +22,9 @@ export * from './componentScope'
 export * from './componentType'
 export * from './externalReferenceType'
 export * from './hashAlogorithm'
+export * from './vulnerabilityAffectsVersionStatus'
+export * from './vulnerabilityAnalysisJustification'
+export * from './vulnerabilityAnalysisResponse'
+export * from './vulnerabilityAnalysisState'
+export * from './vulnerabilityRatingMethod'
+export * from './vulnerabilityRatingSeverity'

src/enums/vulnerabilityAffectsVersionStatus.ts

@@ -0,0 +1,24 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export enum VulnerabilityAffectsVersionStatus {
+  Affected = 'affected',
+  Unaffected = 'unaffected',
+  Unknown = 'unknown',
+}

src/enums/vulnerabilityAnalysisJustification.ts

@@ -0,0 +1,30 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export enum VulnerabilityAnalysisJustification {
+  CodeNotPresent = 'code_not_present',
+  CodeNotReachable = 'code_not_reachable',
+  RequiresConfiguration = 'requires_configuration',
+  RequiresDependency = 'requires_dependency',
+  RequiresEnvironment = 'requires_environment',
+  ProtectedByCompiler = 'protected_by_compiler',
+  ProtectedAtRuntime = 'protected_at_runtime',
+  ProtectedAtPerimeter = 'protected_at_perimeter',
+  ProtectedByMitigatingControl = 'protected_by_mitigating_control',
+}

src/enums/vulnerabilityAnalysisResponse.ts

@@ -0,0 +1,26 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export enum VulnerabilityAnalysisResponse {
+  CanNotFix = 'can_not_fix',
+  WillNotFix = 'will_not_fix',
+  Update = 'update',
+  Rollback = 'rollback',
+  WorkaroundAvailable = 'workaround_available',
+}

src/enums/vulnerabilityAnalysisState.ts

@@ -0,0 +1,27 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export enum VulnerabilityAnalysisState {
+  Resolved = 'resolved',
+  ResolvedWithPedigree = 'resolved_with_pedigree',
+  Exploitable = 'exploitable',
+  InTriage = 'in_triage',
+  FalsePositive = 'false_positive',
+  NotAffacted = 'not_affected',
+}

src/enums/vulnerabilityRatingMethod.ts

@@ -0,0 +1,26 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export enum VulnerabilityRatingMethod {
+  CVSSv2 = 'CVSSv2',
+  CVSSv3 = 'CVSSv3',
+  CVSSv31 = 'CVSSv31',
+  OWASP = 'OWASP',
+  Other = 'other',
+}

src/enums/vulnerabilityRatingSeverity.ts

@@ -0,0 +1,28 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export enum VulnerabiltyRatingSeverity {
+  Critical = 'critical',
+  High = 'high',
+  Medium = 'medium',
+  Low = 'low',
+  Info = 'info',
+  None = 'none',
+  Unknown = 'unknown',
+}

src/models/bom.ts

@@ -20,17 +20,20 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 import { isPositiveInteger, isUrnUuid, PositiveInteger, UrnUuid } from '../types'
 import { Metadata } from './metadata'
 import { ComponentRepository } from './component'
+import { VulnerabilityRepository } from './vulnerability'
 
 interface OptionalProperties {
   metadata?: Bom['metadata']
   components?: Bom['components']
+  vulnerabilities?: Bom['vulnerabilities']
   version?: Bom['version']
   serialNumber?: Bom['serialNumber']
 }
 
 export class Bom {
   metadata: Metadata
   components: ComponentRepository
+  vulnerabilities: VulnerabilityRepository
 
   /** @see version */
   #version: PositiveInteger = 1
@@ -51,6 +54,7 @@ export class Bom {
   constructor (op: OptionalProperties = {}) {
     this.metadata = op.metadata ?? new Metadata()
     this.components = op.components ?? new ComponentRepository()
+    this.vulnerabilities = op.vulnerabilities ?? new VulnerabilityRepository()
     this.version = op.version ?? this.version
     this.serialNumber = op.serialNumber
   }

src/models/index.ts

@@ -28,5 +28,13 @@ export * from './metadata'
 export * from './organizationalContact'
 export * from './organizationalEntity'
 export * from './property'
+export * from './source'
 export * from './swid'
 export * from './tool'
+export * from './vulnerability'
+export * from './vulnerabilityAdvisory'
+export * from './vulnerabilityAffects'
+export * from './vulnerabilityAnalysis'
+export * from './vulnerabilityCredits'
+export * from './vulnerabilityRating'
+export * from './vulnerabilityReference'

src/models/organizationalEntity.ts

@@ -17,6 +17,7 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
+import { Comparable, SortableSet } from '../helpers/sortableSet'
 import { OrganizationalContactRepository } from './organizationalContact'
 
 interface OptionalProperties {
@@ -25,7 +26,7 @@ interface OptionalProperties {
   contact?: OrganizationalEntity['contact']
 }
 
-export class OrganizationalEntity {
+export class OrganizationalEntity implements Comparable {
   name?: string
   url: Set<URL | string>
   contact: OrganizationalContactRepository
@@ -35,4 +36,11 @@ export class OrganizationalEntity {
     this.url = op.url ?? new Set()
     this.contact = op.contact ?? new OrganizationalContactRepository()
   }
+
+  compare (other: OrganizationalEntity): number {
+    return (this.name ?? '').localeCompare(other.name ?? '')
+  }
+}
+
+export class OrganizationalEntityRepository extends SortableSet<OrganizationalEntity> {
 }

src/models/source.ts

@@ -0,0 +1,42 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+import { Comparable, SortableSet } from '../helpers/sortableSet'
+
+interface OptionalProperties {
+  url?: URL | string
+  name?: string
+}
+
+export class Source implements Comparable {
+  url?: URL | string
+  name?: string
+
+  constructor (op: OptionalProperties = {}) {
+    this.url = op.url
+    this.name = op.name
+  }
+
+  compare (other: Source): number {
+    return (this.name ?? '').localeCompare(other.name ?? '')
+  }
+}
+
+export class SourceRepository extends SortableSet<Source> {
+}