feat: metadata.tools support compoennts and services

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

src/_helpers/iterable.ts

@@ -0,0 +1,26 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+export function * chainI<T = any> (...iterables: Array<Iterable<T>>): Generator<T> {
+  for (const iterable of iterables) {
+    for (const item of iterable) {
+      yield item
+    }
+  }
+}

src/models/metadata.ts

@@ -23,7 +23,7 @@ import { LifecycleRepository } from './lifecycle'
 import { OrganizationalContactRepository } from './organizationalContact'
 import type { OrganizationalEntity } from './organizationalEntity'
 import { PropertyRepository } from './property'
-import { ToolRepository } from './tool'
+import { Tools } from './tool'
 
 export interface OptionalMetadataProperties {
   timestamp?: Metadata['timestamp']
@@ -40,7 +40,7 @@ export interface OptionalMetadataProperties {
 export class Metadata {
   timestamp?: Date
   lifecycles: LifecycleRepository
-  tools: ToolRepository
+  tools: Tools
   authors: OrganizationalContactRepository
   component?: Component
   manufacture?: OrganizationalEntity
@@ -51,7 +51,7 @@ export class Metadata {
   constructor (op: OptionalMetadataProperties = {}) {
     this.timestamp = op.timestamp
     this.lifecycles = op.lifecycles ?? new LifecycleRepository()
-    this.tools = op.tools ?? new ToolRepository()
+    this.tools = op.tools ?? new Tools()
     this.authors = op.authors ?? new OrganizationalContactRepository()
     this.component = op.component
     this.manufacture = op.manufacture

src/models/tool.ts

@@ -21,6 +21,7 @@ import type { Comparable } from '../_helpers/sortable'
 import { SortableComparables } from '../_helpers/sortable'
 import { ExternalReferenceRepository } from './externalReference'
 import { HashDictionary } from './hash'
+import {type Component, ComponentRepository} from "./component";
 
 export interface OptionalToolProperties {
   vendor?: Tool['vendor']
@@ -53,7 +54,41 @@ export class Tool implements Comparable<Tool> {
       (this.version ?? '').localeCompare(other.version ?? '')
     /* eslint-enable @typescript-eslint/strict-boolean-expressions */
   }
+
+  static fromComponent(component: Component): Tool {
+    return new Tool({
+      vendor: component.group,
+      name: component.name,
+      version: component.version,
+      hashes: component.hashes,
+      externalReferences: component.externalReferences
+    })
+  }
 }
 
 export class ToolRepository extends SortableComparables<Tool> {
 }
+
+
+export interface OptionalToolsProperties {
+  components?: ComponentRepository
+  tools?: ToolRepository
+}
+
+export class Tools {
+  components: ComponentRepository
+  // TODO: services
+  tools: ToolRepository
+
+  constructor(op: OptionalToolsProperties = {}) {
+    this.components = op.components ?? new ComponentRepository()
+    // TODO: this.services
+    this.tools = op.tools ?? new ToolRepository()
+  }
+
+  get size(): number {
+    return this.components.size
+      // TODO: this.services
+      + this.tools.size
+  }
+}

src/models/vulnerability/vulnerability.ts

@@ -22,7 +22,7 @@ import { SortableComparables } from '../../_helpers/sortable'
 import { CweRepository } from '../../types/cwe'
 import { BomRef } from '../bomRef'
 import { PropertyRepository } from '../property'
-import { ToolRepository } from '../tool'
+import { Tools } from '../tool'
 import { AdvisoryRepository } from './advisory'
 import { AffectRepository } from './affect'
 import type { Analysis } from './analysis'
@@ -68,7 +68,7 @@ export class Vulnerability implements Comparable<Vulnerability> {
   published?: Date
   updated?: Date
   credits?: Credits
-  tools: ToolRepository
+  tools: Tools
   analysis?: Analysis
   affects: AffectRepository
   properties: PropertyRepository
@@ -88,7 +88,7 @@ export class Vulnerability implements Comparable<Vulnerability> {
     this.published = op.published
     this.updated = op.updated
     this.credits = op.credits
-    this.tools = op.tools ?? new ToolRepository()
+    this.tools = op.tools ?? new Tools()
     this.analysis = op.analysis
     this.affects = op.affects ?? new AffectRepository()
     this.properties = op.properties ?? new PropertyRepository()

src/serialize/json/normalize.ts

@@ -23,6 +23,7 @@ import type { Stringable } from '../../_helpers/stringable'
 import { treeIteratorSymbol } from '../../_helpers/tree'
 import { escapeUri } from '../../_helpers/uri'
 import type * as Models from '../../models'
+import { ToolRepository } from '../../models/tool'
 import { LicenseExpression, NamedLicense, SpdxLicense } from '../../models/license'
 import { NamedLifecycle } from '../../models/lifecycle'
 import { AffectedSingleVersion, AffectedVersionRange } from '../../models/vulnerability/affect'
@@ -32,6 +33,8 @@ import { Version as SpecVersion } from '../../spec/enums'
 import type { NormalizerOptions } from '../types'
 import type { Normalized } from './types'
 import { JsonSchema } from './types'
+import { chainI} from "../../_helpers/iterable";
+import {Tool} from "../../models";
 
 export class Factory {
   readonly #spec: Spec
@@ -68,6 +71,10 @@ export class Factory {
     return new ToolNormalizer(this)
   }
 
+  makeForTools (): ToolsNormalizer {
+    return new ToolsNormalizer(this)
+  }
+
   makeForOrganizationalContact (): OrganizationalContactNormalizer {
     return new OrganizationalContactNormalizer(this)
   }
@@ -214,7 +221,7 @@ export class MetadataNormalizer extends BaseJsonNormalizer<Models.Metadata> {
         ? this._factory.makeForLifecycle().normalizeIterable(data.lifecycles, options)
         : undefined,
       tools: data.tools.size > 0
-        ? this._factory.makeForTool().normalizeIterable(data.tools, options)
+        ? this._factory.makeForTools().normalize(data.tools, options)
         : undefined,
       authors: data.authors.size > 0
         ? this._factory.makeForOrganizationalContact().normalizeIterable(data.authors, options)
@@ -278,6 +285,23 @@ export class ToolNormalizer extends BaseJsonNormalizer<Models.Tool> {
   }
 }
 
+export class ToolsNormalizer extends BaseJsonNormalizer<Models.Tools> {
+  normalize(data: Models.Tools, options: NormalizerOptions): Normalized.ToolsType {
+    if (data.tools.size > 0) {
+      return this._factory.makeForTool().normalizeIterable(
+        new ToolRepository(chainI<Models.Tool>(
+          Array.from(data.components, Tool.fromComponent),
+          // TODO services
+          data.tools,
+        )), options)
+    }
+    return {
+      components: this._factory.makeForComponent().normalizeIterable(data.components, options)
+      // TODO services
+    }
+  }
+}
+
 export class HashNormalizer extends BaseJsonNormalizer<Models.Hash> {
   normalize ([algorithm, content]: Models.Hash, options: NormalizerOptions): Normalized.Hash | undefined {
     const spec = this._factory.spec
@@ -675,7 +699,7 @@ export class VulnerabilityNormalizer extends BaseJsonNormalizer<Models.Vulnerabi
         ? undefined
         : this._factory.makeForVulnerabilityCredits().normalize(data.credits, options),
       tools: data.tools.size > 0
-        ? this._factory.makeForTool().normalizeIterable(data.tools, options)
+        ? this._factory.makeForTools().normalize(data.tools, options)
         : undefined,
       analysis: data.analysis === undefined
         ? undefined

src/serialize/json/types.ts

@@ -88,7 +88,7 @@ export namespace Normalized {
   export interface Metadata {
     timestamp?: JsonSchema.DateTime
     lifecycles?: Lifecycle[]
-    tools?: Tool[]
+    tools?: ToolsType
     authors?: OrganizationalContact[]
     component?: Component
     manufacture?: OrganizationalEntity
@@ -116,6 +116,14 @@ export namespace Normalized {
     externalReferences?: ExternalReference[]
   }
 
+  /** since CDX 1.5 */
+  export interface Tools {
+    components: Component[]
+    // TODO: services
+  }
+
+  export type ToolsType = Tools | Tool[]
+
   export interface OrganizationalContact {
     name?: string
     email?: JsonSchema.IdnEmail
@@ -241,7 +249,7 @@ export namespace Normalized {
     published?: JsonSchema.DateTime
     updated?: JsonSchema.DateTime
     credits?: Vulnerability.Credits
-    tools?: Tool[]
+    tools?: ToolsType
     analysis?: Vulnerability.Analysis
     affects?: Vulnerability.Affect[]
     properties?: Property[]

src/serialize/xml/normalize.ts

@@ -33,6 +33,8 @@ import type { NormalizerOptions } from '../types'
 import { normalizedString, token} from './_xsd'
 import type { SimpleXml } from './types'
 import { XmlSchema } from './types'
+import {Tool, ToolRepository} from "../../models";
+import {chainI} from "../../_helpers/iterable";
 
 export class Factory {
   readonly #spec: Spec
@@ -69,6 +71,10 @@ export class Factory {
     return new ToolNormalizer(this)
   }
 
+  makeForTools (): ToolsNormalizer {
+    return new ToolsNormalizer(this)
+  }
+
   makeForOrganizationalContact (): OrganizationalContactNormalizer {
     return new OrganizationalContactNormalizer(this)
   }
@@ -238,11 +244,7 @@ export class MetadataNormalizer extends BaseXmlNormalizer<Models.Metadata> {
         }
       : undefined
     const tools: SimpleXml.Element | undefined = data.tools.size > 0
-      ? {
-          type: 'element',
-          name: 'tools',
-          children: this._factory.makeForTool().normalizeIterable(data.tools, options, 'tool')
-        }
+      ? this._factory.makeForTools().normalize(data.tools, options)
       : undefined
     const authors: SimpleXml.Element | undefined = data.authors.size > 0
       ? {
@@ -357,6 +359,35 @@ export class ToolNormalizer extends BaseXmlNormalizer<Models.Tool> {
   }
 }
 
+export class ToolsNormalizer extends BaseXmlNormalizer<Models.Tools> {
+  normalize (data: Models.Tools, options: NormalizerOptions, elementName: string): SimpleXml.Element {
+    let children: SimpleXml.Element[]
+    if (data.tools.size > 0) {
+      children = this._factory.makeForTool().normalizeIterable(
+        new ToolRepository(chainI<Models.Tool>(
+          Array.from(data.components, Tool.fromComponent),
+          // TODO services
+          data.tools,
+        )), options, 'tool')
+    } else {
+      children = []
+      if (data.components.size > 0) {
+        children.push({
+          type: 'element',
+          name: 'components',
+          children: this._factory.makeForComponent().normalizeIterable(data.components, options, 'component')
+        })
+      }
+      // TODO data.services
+    }
+    return {
+      type: 'element',
+      name: elementName,
+      children
+    }
+  }
+}
+
 export class HashNormalizer extends BaseXmlNormalizer<Models.Hash> {
   normalize ([algorithm, content]: Models.Hash, options: NormalizerOptions, elementName: string): SimpleXml.Element | undefined {
     const spec = this._factory.spec
@@ -857,7 +888,7 @@ export class VulnerabilityNormalizer extends BaseXmlNormalizer<Models.Vulnerabil
       ? {
           type: 'element',
           name: 'tools',
-          children: this._factory.makeForTool().normalizeIterable(data.tools, options, 'tool')
+          children: this._factory.makeForTools().normalize(data.tools, options)
         }
       : undefined
     const affects: SimpleXml.Element | undefined = data.affects.size > 0