1.3.0

Changed

• Use version 9b04a94 of CycloneDX specification for XML and JSON schema validation. (via #150)
• Use SPDX license enumeration from version 9b04a94 of CycloneDX specification. (via #150)

Added

• Models for Property and PropertyRepository. (via #151)
• JSON- and XML-Normalizer for Models.Property, Models.PropertyRepository. (via #151)
• New property Models.Component.properties. (via #151)

Build

• Use Webpack v5.74.0. now, was 5.73.0. (via #141)

1.2.0

Added

• New getters/properties that represent the corresponding parameters of class constructor. (via #145)
  • Builders.FromPackageJson.ComponentBuilder.extRefFactory,
    Builders.FromPackageJson.ComponentBuilder.licenseFactory
  • Builders.FromPackageJson.ToolBuilder.extRefFactory
  • Factories.PackageUrlFactory.type
  • Serialize.BomRefDiscriminator.prefix
  • Serialize.JsonSerializer.normalizerFactory
  • Serialize.XmlBaseSerializer.normalizerFactory,
    Serialize.XmlSerializer.normalizerFactory
• Factory for PackageURL from Models.Component can handle additional data sources, now. (via #146)
  • Models.Component.hashes map -> PackageURL.qualifiers.checksum list
  • Models.Component.externalReferences[distribution].url -> PackageURL.qualifiers.download_url
  • Method Factories.PackageUrlFactory.makeFromComponent() got a new optional parameter sort,
    to indicate whether to go the extra mile and bring hashes and qualifiers in alphabetical order.
    This feature switch is related to reproducible builds.

Deprecated

• The sub-namespace FromPackageJson will be known as FromNodePackageJson. (via #148)
  • Factories.FromPackageJson -> Factories.FromNodePackageJson
  • Builders.FromPackageJson -> Builders.FromNodePackageJson

1.1.0

Added

• Support for nested/bundled (sub-)components via Models.Component.components was added, including serialization/normalization of models and impact on dependency graphs rendering. (#132 via #136)
• CycloneDX spec version 1.4 made element Models.Component.version optional.
  Therefore, serialization/normalization with this spec version will no longer render this element if its value is empty. (via #137, #138)

1.0.3

Fixed

• Types.isCPE() for CPE2.3 allows escaped(\) chars &"><, as expected. (via #134)

1.0.2

Maintenance release.

Dependencies

• Widened the range of requirement packageurl-js to >=0.0.6 <0.0.8, was ^0.0.7. (#130 via #131)

1.0.1

Maintenance release.

Misc

• Use TypeScript v4.7.4 now, was v4.6.4. (via #55)

Dependencies

• Raised the requirement of packageurl-js to ^0.0.7, was ^0.0.6. (via #123)

1.0.0

Initial release.

Responsibilities

• Provide a general purpose JavaScript-implementation of CycloneDX for Node.js and WebBrowsers.
• Provide typing for said implementation, so developers and dev-tools can rely on it.
• Provide data models to work with CycloneDX.
• Provide a JSON- and an XML-normalizer, that...
  • supports all shipped data models.
  • respects any injected CycloneDX Specification and generates valid output according to it.
  • can be configured to generate reproducible/deterministic output.
  • can prepare data structures for JSON- and XML-serialization.
• Serialization:
  • Provide a universal JSON-serializer for all target environments.
  • Provide an XML-serializer for all target environments.
  • Support the downstream implementation of custom XML-serializers tailored to specific environments
    by providing an abstract base class that takes care of normalization and BomRef-discrimination.
    This is done, because there is no universal XML support in JavaScript.

Capabilities & Features

• Enums for the following use cases:
  • AttachmentEncoding
  • ComponentScope
  • ComponentType
  • ExternalReferenceType
  • HashAlgorithm
• Data models for the following use cases:
  • Attachment
  • Bom
  • BomRef, BomRefRepository
  • Component, ComponentRepository
  • ExternalReference, ExternalReferenceRepository
  • HashContent, Hash, HashRepository
  • LicenseExpression, NamedLicense, SpdxLicense, LicenseRepository
  • Metadata
  • OrganizationalContact, OrganizationalContactRepository
  • OrganizationalEntity
  • SWID
  • Tool, ToolRepository
• Factories for the following use cases:
  • Create data models from any license descriptor string
  • Specific to Node.js: create data models from PackageJson-like data structures
• Builders for the following use cases:
  • Specific to Node.js: create deep data models from PackageJson-like data structures
• Implementation of the CycloneDX Specification for the following versions:
  • 1.4
  • 1.3
  • 1.2
• Normalizers that convert data models to JSON structures
• Normalizers that convert data models to XML structures
• Universal serializer that converts Bom data models to JSON string
• Serializer that converts Bom data models to XML string:
  • Specific to WebBrowsers: implementation utilizes browser-specific document generators and printers.
  • Specific to Node.js: implementation plugs/requires/utilizes one of the following optional libraries
    • xmlbuilder2

1.0.0-beta.7

• fix: XML normalize scope correctly
• fix: Component.description get picked up from optional properties in constructor
• fix: `Component.supplier in constructor

1.0.0-beta.6

change

• allow dependency graphs without an entry

1.0.0-beta.5

changed

• Component builder no longer calculates the purl - use the new factory for that.

Added

• factory that makes a PackageUrl from a Component data model.