diff --git a/.eslintrc b/.eslintrc new file mode 100644 index 00000000..7d03cee4 --- /dev/null +++ b/.eslintrc @@ -0,0 +1,3 @@ +{ + "extends": "standard" +} \ No newline at end of file diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml index 1d48350f..f864b768 100644 --- a/.github/workflows/nodejs.yml +++ b/.github/workflows/nodejs.yml @@ -54,7 +54,7 @@ jobs: run: npm run setup-tests - name: run tests run: > - npm run test:unit -- + npm run test:jest -- --ci --no-cache --all diff --git a/HISTORY.md b/HISTORY.md index 03855ca1..6e162d34 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -4,6 +4,23 @@ All notable changes to this project will be documented in this file. ## unreleased +* Added + * Environment variable `BOM_REPRODUCIBLE` cause resulting files to be more reproducible + by omitting time/rand-based values, and sorting lists. (via [#288]) + * Method `Component.compare()` compares self by `purl` or `group`/`name`/`version`. (via [#288]) + * Method `ExternalReference.compare()` compares self by `type`/`url`. (via [#288]) + * Method `Hash.compare()` compares self by `algorithm`/`value`. (via [#288]) + * JSDoc for `ExternalReference`, `ExternalReferenceList`, `Hash`, `HashList`. (via [#288]) +* Fixed + * `ExternalReference.url` is now correctly treated as mandatory. (via [#288]) + * `Hash.value` is now correctly treated as mandatory. (via [#288]) + * `ExternalReferenceList.isEligibleHomepage` now returns the correct result, was inverted. (via [#288]) +* Changed + * Private properties of `ExternalReference`, `ExternalReferenceList`, `Hash`, `HashList` + became inaccessible. ([#233] via [#288]) + +[#288]: https://github.com/CycloneDX/cyclonedx-node-module/pull/288 + ## 3.7.0 - 2022-04-13 * Added diff --git a/README.md b/README.md index 86c3ee9a..afe575b0 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,9 @@ Options: -t, --type Project type (default: "library") -ns, --no-serial-number Do not include BOM serial number -h, --help display help for command + +Environment variable BOM_REPRODUCIBLE causes bom result to be more consistent +over multiple runs by omitting time/rand-based values, and sorting lists. ``` ### Example (default: XML) diff --git a/bin/make-bom.js b/bin/make-bom.js index 5dd219a9..13e65f89 100755 --- a/bin/make-bom.js +++ b/bin/make-bom.js @@ -43,6 +43,9 @@ let filePath = '.' cdx .description(program.description) + .addHelpText('afterAll', '\n\n' + + 'Environment variable BOM_REPRODUCIBLE causes bom result to be more consistent\n' + + 'over multiple runs by omitting time/rand-based values, and sorting lists.\n') .version(program.version, '-v, --version') .argument('[path]', 'Path to analyze') .option('-d, --include-dev', 'Include devDependencies', false) diff --git a/bom.xml b/bom.xml new file mode 100644 index 00000000..05a31c07 --- /dev/null +++ b/bom.xml @@ -0,0 +1,2127 @@ + + + + 2022-04-24T13:24:50.635Z + + + CycloneDX + Node.js module + 3.7.0 + + + + Erlend Oftedal + @cyclonedx + bom + 3.7.0 + + + + + + Apache-2.0 + + + pkg:npm/%40cyclonedx/bom@3.7.0 + + + http://github.com/CycloneDX/cyclonedx-node-module + + + https://github.com/CycloneDX/cyclonedx-node-module/issues + + + git+https://github.com/CycloneDX/cyclonedx-node-module.git + + + + + + + @xmldom + xmldom + 0.8.2 + + + + + f91d23b92b1e111ca83ef9c143f7198a1e9ba45ec8a425e559b1d1a02473633aa9cfa8161ce81ff28e0c3847fa28156e3b2a94fa008d2e4096548240ae8f17c9 + + + + MIT + + + pkg:npm/%40xmldom/xmldom@0.8.2 + + + https://github.com/xmldom/xmldom + + + https://github.com/xmldom/xmldom/issues + + + git://github.com/xmldom/xmldom.git + + + + + TJ Holowaychuk + commander + 8.3.0 + + + + + 3a44cbf6e99ff877b60d9914abc7fc27da1fef22fa449288db875521306635f6419ab8bdcd8650aca92e5e22a1c9f3d2bbcb5486754107588a5debef9e54785b + + + + MIT + + + pkg:npm/commander@8.3.0 + + + https://github.com/tj/commander.js#readme + + + https://github.com/tj/commander.js/issues + + + git+https://github.com/tj/commander.js.git + + + + + the purl authors + packageurl-js + 0.0.6 + + + + + 5edc046cb37d1579288cfca667a555856ec7ac1ad466635ec401b8dcfe4717b96a6c554e4e0679390ece4da205e2e67a678be458fd4de337b45f75cb5ffa6abc + + + + MIT + + + pkg:npm/packageurl-js@0.0.6 + + + https://github.com/package-url/packageurl-js#readme + + + https://github.com/package-url/packageurl-js/issues + + + git+https://github.com/package-url/packageurl-js.git + + + + + Keith Cirkel + parse-packagejson-name + 1.0.1 + + + + + ab5b322cd38c87b4a01620683cca56ad74c006a0 + + + + MIT + + + pkg:npm/parse-packagejson-name@1.0.1 + + + https://github.com/keithamus/sort-object-keys#readme + + + https://github.com/keithamus/sort-object-keys/issues + + + git+ssh://git@github.com/keithamus/parse-packagejson-name.git + + + + + Jonathan Werner + prettify-xml + 1.2.0 + + + + + 46dcf1ee8a8d8b73db30b7e06ef26dc9cf3f6f18 + + + + MIT + + + pkg:npm/prettify-xml@1.2.0 + + + https://github.com/jonathanewerner/prettify-xml#readme + + + https://github.com/jonathanewerner/prettify-xml/issues + + + git+https://github.com/jonathanewerner/prettify-xml.git + + + + + Isaac Z. Schlueter + read-installed + 4.0.3 + + + + + ff9b8b67f187d1e4c29b9feb31f6b223acd19067 + + + + ISC + + + pkg:npm/read-installed@4.0.3 + + + https://github.com/isaacs/read-installed#readme + + + https://github.com/isaacs/read-installed/issues + + + git://github.com/isaacs/read-installed.git + + + + + Sam Roberts + debuglog + 1.0.1 + + + + + aa24ffb9ac3df9a2351837cfb2d279360cd78492 + + + + MIT + + + pkg:npm/debuglog@1.0.1 + + + https://github.com/sam-github/node-debuglog#readme + + + https://github.com/sam-github/node-debuglog/issues + + + git+https://github.com/sam-github/node-debuglog.git + + + + + Isaac Z. Schlueter + read-package-json + 2.1.2 + + + + + 0f52a6b8b42be994894b4b56f217f7586a51970b3324e5d9dc4f1877f0cd45a33977ed7055165d1e5a4604b02ea2f8ebdbc2db5af8e95a4047331a511868f334 + + + + ISC + + + pkg:npm/read-package-json@2.1.2 + + + https://github.com/npm/read-package-json#readme + + + https://github.com/npm/read-package-json/issues + + + git+https://github.com/npm/read-package-json.git + + + + + Isaac Z. Schlueter + glob + 7.2.0 + + + + + 9662dfea0b72acfabcb538d29ab3bde3005e41b151dc76cb1dbbb20faf70bb2424226a76856a8c181e3b397eb914190f7df3bae3520ff6359ad73e22bea1b6e9 + + + + ISC + + + pkg:npm/glob@7.2.0 + + + https://github.com/isaacs/node-glob#readme + + + https://github.com/isaacs/node-glob/issues + + + git://github.com/isaacs/node-glob.git + + + + + Isaac Z. Schlueter + fs.realpath + 1.0.0 + + + + + 1504ad2523158caa40db4a2787cb01411994ea4f + + + + ISC + + + pkg:npm/fs.realpath@1.0.0 + + + https://github.com/isaacs/fs.realpath#readme + + + https://github.com/isaacs/fs.realpath/issues + + + git+https://github.com/isaacs/fs.realpath.git + + + + + Isaac Z. Schlueter + inflight + 1.0.6 + + + + + 49bd6331d7d02d0c09bc910a1075ba8165b56df9 + + + + ISC + + + pkg:npm/inflight@1.0.6 + + + https://github.com/isaacs/inflight + + + https://github.com/isaacs/inflight/issues + + + git+https://github.com/npm/inflight.git + + + + + Isaac Z. Schlueter + once + 1.4.0 + + + + + 583b1aa775961d4b113ac17d9c50baef9dd76bd1 + + + + ISC + + + pkg:npm/once@1.4.0 + + + https://github.com/isaacs/once#readme + + + https://github.com/isaacs/once/issues + + + git://github.com/isaacs/once.git + + + + + Isaac Z. Schlueter + wrappy + 1.0.2 + + + + + b5243d8f3ec1aa35f1364605bc0d1036e30ab69f + + + + ISC + + + pkg:npm/wrappy@1.0.2 + + + https://github.com/npm/wrappy + + + https://github.com/npm/wrappy/issues + + + git+https://github.com/npm/wrappy.git + + + + + inherits + 2.0.4 + + + + + 93fbc6697e3f6256b75b3c8c0af4d039761e207bea38ab67a8176ecd31e9ce9419cc0b2428c859d8af849c189233dcc64a820578ca572b16b8758799210a9ec1 + + + + ISC + + + pkg:npm/inherits@2.0.4 + + + https://github.com/isaacs/inherits#readme + + + https://github.com/isaacs/inherits/issues + + + git://github.com/isaacs/inherits.git + + + + + Isaac Z. Schlueter + minimatch + 3.0.4 + + + + + c891d5404872a8f2d44e0b7d07cdcf5eee96debc7832fbc7bd252f4e8a20a70a060ce510fb20eb4741d1a2dfb23827423bbbb8857de959fb7a91604172a87450 + + + + ISC + + + pkg:npm/minimatch@3.0.4 + + + https://github.com/isaacs/minimatch#readme + + + https://github.com/isaacs/minimatch/issues + + + git://github.com/isaacs/minimatch.git + + + + + Julian Gruber + brace-expansion + 1.1.11 + + + + + 882b8f1c3160ac75fb1f6bc423fe71a73d3bcd21c1d344e9ba0aa1998b5598c3bae75f260ae44ca0e60595d101974835f3bb9fa3375a1e058a71815beb5a8688 + + + + MIT + + + pkg:npm/brace-expansion@1.1.11 + + + https://github.com/juliangruber/brace-expansion + + + https://github.com/juliangruber/brace-expansion/issues + + + git://github.com/juliangruber/brace-expansion.git + + + + + Julian Gruber + balanced-match + 1.0.2 + + + + + de849e50ed13315ebb84dd4099b5ec2b8c9aa94eed8e21e56f144364ea47d0a5bdf82797e1b440697d009f1b74b71d8cae94695b041a3f02252121098585393f + + + + MIT + + + pkg:npm/balanced-match@1.0.2 + + + https://github.com/juliangruber/balanced-match + + + https://github.com/juliangruber/balanced-match/issues + + + git://github.com/juliangruber/balanced-match.git + + + + + James Halliday + concat-map + 0.0.1 + + + + + d8a96bd77fd68df7793a73036a3ba0d5405d477b + + + + MIT + + + pkg:npm/concat-map@0.0.1 + + + https://github.com/substack/node-concat-map#readme + + + https://github.com/substack/node-concat-map/issues + + + git://github.com/substack/node-concat-map.git + + + + + Sindre Sorhus + path-is-absolute + 1.0.1 + + + + + 174b9268735534ffbc7ace6bf53a5a9e1b5c5f5f + + + + MIT + + + pkg:npm/path-is-absolute@1.0.1 + + + https://github.com/sindresorhus/path-is-absolute#readme + + + https://github.com/sindresorhus/path-is-absolute/issues + + + git+https://github.com/sindresorhus/path-is-absolute.git + + + + + Meryn Stol + normalize-package-data + 2.5.0 + + + + + ff908c3774f44785d38f80dc19a7b1a3eae8652752156ff400e39344eae3c73086d70ad65c4b066d129ebe39482fe643138b19949af9103e185b4caa9a42be78 + + + + BSD-2-Clause + + + pkg:npm/normalize-package-data@2.5.0 + + + https://github.com/npm/normalize-package-data#readme + + + https://github.com/npm/normalize-package-data/issues + + + git://github.com/npm/normalize-package-data.git + + + + + Rebecca Turner + hosted-git-info + 2.8.9 + + + + + 9b120301bf4bb26e83a0e27bc47fb9f97e32d4b53fe078b9d0bf42e6c22cc0adc9cd42d2e1bc24d45be374182f611e1bcd3e2db944220b5e451367f91db2ef63 + + + + ISC + + + pkg:npm/hosted-git-info@2.8.9 + + + https://github.com/npm/hosted-git-info + + + https://github.com/npm/hosted-git-info/issues + + + git+https://github.com/npm/hosted-git-info.git + + + + + James Halliday + resolve + 1.22.0 + + + + + 1e1b6bc349cb792ac543ba613e9e0e39c5632cf21e327465af999c9d5b8c7bb33fede067f7c0378661512e8168dc32d9922bd26308515094f23f2580939e962f + + + + MIT + + + pkg:npm/resolve@1.22.0 + + + https://github.com/browserify/resolve#readme + + + https://github.com/browserify/resolve/issues + + + git://github.com/browserify/resolve.git + + + + + Jordan Harband + is-core-module + 2.8.1 + + + + + 49d34252cdbce21af8d2115314fea5d087d9fd14ab317177aa0a111dddffefdba7513beb14efc9a17c241a6fb927f39edc4fdbe46b271b7df4b94360469bb53c + + + + MIT + + + pkg:npm/is-core-module@2.8.1 + + + https://github.com/inspect-js/is-core-module + + + https://github.com/inspect-js/is-core-module/issues + + + git+https://github.com/inspect-js/is-core-module.git + + + + + Thiago de Arruda + has + 1.0.3 + + + + + 7f676f3b4554e8e7a3ed1916246ade8636f33008c5a79fd528fa79b53a56215e091c764ad7f0716c546d7ffb220364964ded3d71a0e656d618cd61086c14b8cf + + + + MIT + + + pkg:npm/has@1.0.3 + + + https://github.com/tarruda/has + + + https://github.com/tarruda/has/issues + + + git://github.com/tarruda/has.git + + + + + Raynos + function-bind + 1.1.1 + + + + + c88a2f033317e3db05f18979f1f482589e6cbd22ee6a26cfc5740914b98139b4ee0abd0c7f52a23e8a4633d3621638980426df69ad8587a6eb790e803554c8d0 + + + + MIT + + + pkg:npm/function-bind@1.1.1 + + + https://github.com/Raynos/function-bind + + + https://github.com/Raynos/function-bind/issues + + + git://github.com/Raynos/function-bind.git + + + + + Javier Blanco + path-parse + 1.0.7 + + + + + 2c32733d510410f47ecb8f33f7703411dd325dbf29001c865a8fe4e5861d620a58dbfd84b0eb24b09aeaee5387c6bcab54e9f57a31baa00a7c6a1bce2100fcb3 + + + + MIT + + + pkg:npm/path-parse@1.0.7 + + + https://github.com/jbgutierrez/path-parse#readme + + + https://github.com/jbgutierrez/path-parse/issues + + + git+https://github.com/jbgutierrez/path-parse.git + + + + + Jordan Harband + supports-preserve-symlinks-flag + 1.0.0 + + + + + a2dd169d74bd7e076480871e3dee911cd935580f3e9ae3dae9c4a3791dd5f0adbbabd041d6b4c4dd1d69ec7bf4cf567201cf2ce95beff0323259febcd4c02dd3 + + + + MIT + + + pkg:npm/supports-preserve-symlinks-flag@1.0.0 + + + https://github.com/inspect-js/node-supports-preserve-symlinks-flag#readme + + + https://github.com/inspect-js/node-supports-preserve-symlinks-flag/issues + + + git+https://github.com/inspect-js/node-supports-preserve-symlinks-flag.git + + + + + semver + 5.7.1 + + + + + 6f7f5305a4d27d5eb206b6a953cf69e5f29e904da6fcdc270e870e56bb90152d7fbde320773b8f72738cdf833a0b0c56f231ff97111ae6b0680de530bb91c74f + + + + ISC + + + pkg:npm/semver@5.7.1 + + + https://github.com/npm/node-semver#readme + + + https://github.com/npm/node-semver/issues + + + git+https://github.com/npm/node-semver.git + + + + + Kyle E. Mitchell + validate-npm-package-license + 3.0.4 + + + + + 0e92a6d948bfc4deff1d0282b69671a11581859f59d24aadca01bc5c280d43c6650e7c6e4265a18f9eba8fc7cde02bb7fc999b86c0e8edf70026ae2cf61dbb13 + + + + Apache-2.0 + + + pkg:npm/validate-npm-package-license@3.0.4 + + + https://github.com/kemitchell/validate-npm-package-license.js#readme + + + https://github.com/kemitchell/validate-npm-package-license.js/issues + + + git+https://github.com/kemitchell/validate-npm-package-license.js.git + + + + + Kyle E. Mitchell + spdx-correct + 3.1.1 + + + + + 70e61c516c210ae1c25e2e3d4611510b22442b788f8f5662cfd0e9562577b5b64ec170f8f50cc837732938b24dc61daac2ada524965a28c570f6a362e234c2d3 + + + + Apache-2.0 + + + pkg:npm/spdx-correct@3.1.1 + + + https://github.com/jslicense/spdx-correct.js#readme + + + https://github.com/jslicense/spdx-correct.js/issues + + + git+https://github.com/jslicense/spdx-correct.js.git + + + + + Kyle E. Mitchell + spdx-expression-parse + 3.0.1 + + + + + 71ba87ba7b105a724d13a2a155232c31e1f91ff2fd129ca66f3a93437b8bc0d08b675438f35a166a87ea1fb9cee95d3bc655f063a3e141d43621e756c7f64ae1 + + + + MIT + + + pkg:npm/spdx-expression-parse@3.0.1 + + + https://github.com/jslicense/spdx-expression-parse.js#readme + + + https://github.com/jslicense/spdx-expression-parse.js/issues + + + git+https://github.com/jslicense/spdx-expression-parse.js.git + + + + + The Linux Foundation + spdx-exceptions + 2.3.0 + + + + + fed4eb60e0bb3cf2359d4020c77e21529a97bb2246f834c72539c850b1b8ac3ca08b8c6efed7e09aad5ed5c211c11cf0660a3834bc928beae270b919930e22e4 + + + + CC-BY-3.0 + + + pkg:npm/spdx-exceptions@2.3.0 + + + https://github.com/kemitchell/spdx-exceptions.json#readme + + + https://github.com/kemitchell/spdx-exceptions.json/issues + + + git+https://github.com/kemitchell/spdx-exceptions.json.git + + + + + Shinnosuke Watanabe + spdx-license-ids + 3.0.11 + + + + + 0ad97606b1623345f7300358823dc29328318519abf668bac617a36dd3bdeb49c5e840c90294d8a67d014270ca96734150b2a208dd67df0f440641caf195a0fa + + + + CC0-1.0 + + + pkg:npm/spdx-license-ids@3.0.11 + + + https://github.com/jslicense/spdx-license-ids#readme + + + https://github.com/jslicense/spdx-license-ids/issues + + + git+https://github.com/jslicense/spdx-license-ids.git + + + + + Isaac Z. Schlueter + npm-normalize-package-bin + 1.0.1 + + + + + 10f7da7e5e892f9feb53ea2de8fde04520a93c35b95662335fde7d39bd7ec92154bae6075877a45e9c1d51970a3f90be0d2e0612d74996ec018e7b0d0e5f9f48 + + + + ISC + + + pkg:npm/npm-normalize-package-bin@1.0.1 + + + https://github.com/npm/npm-normalize-package-bin#readme + + + https://github.com/npm/npm-normalize-package-bin/issues + + + git+https://github.com/npm/npm-normalize-package-bin.git + + + + + Kat Marchán + json-parse-even-better-errors + 2.3.1 + + + + + c72170ca1ae8fc91287fa1a17b68b3d8d717a23dac96836c5abfd7b044432bfa223c27da36197938d7e9fa341d01945043420958dcc7f7321917b962f75921db + + + + MIT + + + pkg:npm/json-parse-even-better-errors@2.3.1 + + + https://github.com/npm/json-parse-even-better-errors#readme + + + https://github.com/npm/json-parse-even-better-errors/issues + + + git+https://github.com/npm/json-parse-even-better-errors.git + + + + + Isaac Z. Schlueter + readdir-scoped-modules + 1.1.0 + + + + + 6ac6a29037aa01083b2627d1b199f5349657a3d13e57097209f6e4661c322128a7aa4e73352eb6eba1d2e646a1e8fd1269028617a4a43676551d4cc7158c580f + + + + ISC + + + pkg:npm/readdir-scoped-modules@1.1.0 + + + https://github.com/npm/readdir-scoped-modules + + + https://github.com/npm/readdir-scoped-modules/issues + + + git+https://github.com/npm/readdir-scoped-modules.git + + + + + Isaac Z. Schlueter + dezalgo + 1.0.3 + + + + + 7f742de066fc748bc8db820569dddce49bf0d456 + + + + ISC + + + pkg:npm/dezalgo@1.0.3 + + + https://github.com/npm/dezalgo + + + https://github.com/npm/dezalgo/issues + + + git+https://github.com/npm/dezalgo.git + + + + + asap + 2.0.6 + + + + + e50347611d7e690943208bbdafebcbc2fb866d46 + + + + MIT + + + pkg:npm/asap@2.0.6 + + + https://github.com/kriskowal/asap#readme + + + https://github.com/kriskowal/asap/issues + + + git+https://github.com/kriskowal/asap.git + + + + + graceful-fs + 4.2.9 + + + + + 36d371a947178295b688cadfa927d1ef71a5b77f4af812f05ac3ecf78c91eb7bf8e53d166de8fb79198be5c59fc0482a5e79a3429df36894ec85d456fea0b665 + + + + ISC + + + pkg:npm/graceful-fs@4.2.9 + + + https://github.com/isaacs/node-graceful-fs#readme + + + https://github.com/isaacs/node-graceful-fs/issues + + + git+https://github.com/isaacs/node-graceful-fs.git + + + + + Isaac Z. Schlueter + slide + 1.1.6 + + + + + 56eb027d65b4d2dce6cb2e2d32c4d4afc9e1d707 + + + + ISC + + + pkg:npm/slide@1.1.6 + + + https://github.com/isaacs/slide-flow-control#readme + + + https://github.com/isaacs/slide-flow-control/issues + + + git://github.com/isaacs/slide-flow-control.git + + + + + util-extend + 1.0.3 + + + + + a7c216d267545169637b3b6edc6ca9119e2ff93f + + + + MIT + + + pkg:npm/util-extend@1.0.3 + + + https://github.com/isaacs/util-extend#readme + + + https://github.com/isaacs/util-extend/issues + + + git://github.com/isaacs/util-extend.git + + + + + Kat Marchán + ssri + 8.0.1 + + + + + f7ba92873cb5022cb1bcf34890b5a81ae6bbc68433ccf8d0d07007e01d2b58aa3b499e944ae3dcad488016bc2cd141fc46b6d69a0ab72cc4ce6e13c81db6c179 + + + + ISC + + + pkg:npm/ssri@8.0.1 + + + https://github.com/npm/ssri#readme + + + https://github.com/npm/ssri/issues + + + git+https://github.com/npm/ssri.git + + + + + Isaac Z. Schlueter + minipass + 3.1.6 + + + + + aedcb9929c3dff3f125fd766c5b94503a79d22d526c0980c7980d946bc25215376ee2f20cac19bce7270520830d95fc556a1520dd5b2d38d193d2f35d43600a9 + + + + ISC + + + pkg:npm/minipass@3.1.6 + + + https://github.com/isaacs/minipass#readme + + + https://github.com/isaacs/minipass/issues + + + git+https://github.com/isaacs/minipass.git + + + + + Isaac Z. Schlueter + yallist + 4.0.0 + + + + + df074689d672ab93c1d3ce172c44b94e9392440df08d7025216321ba6da445cbffe354a7d9e990d1dc9c416e2e6572de8f02af83a12cbdb76554bf8560472dec + + + + ISC + + + pkg:npm/yallist@4.0.0 + + + https://github.com/isaacs/yallist#readme + + + https://github.com/isaacs/yallist/issues + + + git+https://github.com/isaacs/yallist.git + + + + + Aram Drevekenin + synp + 1.9.10 + + + + + 1bd67f4d74da046d7136c9547f7747162773ffcb6fbd1691e7ad165b23b0c88ed7ac61841814c420883885d461d6a16dcfc98f6329c0518c165d483f661d0fcf + + + + MIT + + + pkg:npm/synp@1.9.10 + + + https://github.com/imsnif/synp#readme + + + https://github.com/imsnif/synp/issues + + + git+https://github.com/imsnif/synp.git + + + + + @yarnpkg + lockfile + 1.1.0 + + + + + 1a94b0bf25ce70e3a557bd2f6e7ce38f87d6e715bf15d505ea7404b7510dcbb9b86427338b5fbf6ee5543c0aa619fab39ec391345cd432372d4c8a7c6bdb6e09 + + + + BSD-2-Clause + + + pkg:npm/%40yarnpkg/lockfile@1.1.0 + + + https://github.com/yarnpkg/yarn/blob/master/packages/lockfile + + + + + Jon Schlinkert + bash-glob + 2.0.0 + + + + + e77fcd27eb7650090462040f3ba6858dbc7551ef2f34d5c261a0381258cd28fd5247c03d752410a01998591f012d73b4fcd0d12443122780715a2862fff9b72b + + + + MIT + + + pkg:npm/bash-glob@2.0.0 + + + https://github.com/micromatch/bash-glob + + + https://github.com/micromatch/bash-glob/issues + + + git+https://github.com/micromatch/bash-glob.git + + + + + Jon Schlinkert + bash-path + 1.0.3 + + + + + 986ad8bce6bac9363fa8d0a26643c526a5a63832baf32ea499544027534d6d694da09ad4aec171bbb154d842a0ee06eb7abeadb6b2a4176b3f13f961472eff38 + + + + MIT + + + pkg:npm/bash-path@1.0.3 + + + https://github.com/micromatch/bash-path + + + https://github.com/micromatch/bash-path/issues + + + git+https://github.com/micromatch/bash-path.git + + + + + Jon Schlinkert + arr-union + 3.1.0 + + + + + e39b09aea9def866a8f206e288af63919bae39c4 + + + + MIT + + + pkg:npm/arr-union@3.1.0 + + + https://github.com/jonschlinkert/arr-union + + + https://github.com/jonschlinkert/arr-union/issues + + + git+https://github.com/jonschlinkert/arr-union.git + + + + + Jon Schlinkert + is-windows + 1.0.2 + + + + + 7972b55089ead9b3e68f25fa7b754723330ba1b73827de22e005a7f87a6adce5392a4ad10bde8e01c4773d127fa46bba9bc4d19c11cff5d917415b13fc239520 + + + + MIT + + + pkg:npm/is-windows@1.0.2 + + + https://github.com/jonschlinkert/is-windows + + + https://github.com/jonschlinkert/is-windows/issues + + + git+https://github.com/jonschlinkert/is-windows.git + + + + + component-emitter + 1.3.0 + + + + + 45ddec7ba401fac3b54f0a998ec710aeeae910f21f3b4ff26274a29fa43fac3de63aeb47bd4ac202126e6f7afdd2e35bf9211206e134418a01f7461d7dab6c46 + + + + MIT + + + pkg:npm/component-emitter@1.3.0 + + + https://github.com/component/emitter#readme + + + https://github.com/component/emitter/issues + + + git+https://github.com/component/emitter.git + + + + + IndigoUnited + cross-spawn + 5.1.0 + + + + + 8910cf24a50f544343edd1cf3bcae46ce9cfa720f281c0c5b568e9796342832f163f6ad77315cbf13b2445e425e8eac1d86efe509ada82cd6ad7916e75cec6eb + + + + MIT + + + pkg:npm/cross-spawn@5.1.0 + + + https://github.com/IndigoUnited/node-cross-spawn#readme + + + https://github.com/IndigoUnited/node-cross-spawn/issues/ + + + git://github.com/IndigoUnited/node-cross-spawn.git + + + + + Isaac Z. Schlueter + lru-cache + 4.1.5 + + + + + 268e9d274e029928eece7c09492de951e5a677f1f47df4e59175e0c198be7aad540a6a90c0287e78bb183980b063df758b615a878875044302c78a938466ec88 + + + + ISC + + + pkg:npm/lru-cache@4.1.5 + + + https://github.com/isaacs/node-lru-cache#readme + + + https://github.com/isaacs/node-lru-cache/issues + + + git://github.com/isaacs/node-lru-cache.git + + + + + Isaac Z. Schlueter + pseudomap + 1.0.2 + + + + + f052a28da70e618917ef0a8ac34c1ae5a68286b3 + + + + ISC + + + pkg:npm/pseudomap@1.0.2 + + + https://github.com/isaacs/pseudomap#readme + + + https://github.com/isaacs/pseudomap/issues + + + git+https://github.com/isaacs/pseudomap.git + + + + + Isaac Z. Schlueter + yallist + 2.1.2 + + + + + df074689d672ab93c1d3ce172c44b94e9392440df08d7025216321ba6da445cbffe354a7d9e990d1dc9c416e2e6572de8f02af83a12cbdb76554bf8560472dec + + + + ISC + + + pkg:npm/yallist@2.1.2 + + + https://github.com/isaacs/yallist#readme + + + https://github.com/isaacs/yallist/issues + + + git+https://github.com/isaacs/yallist.git + + + + + Kevin Martensson + shebang-command + 1.2.0 + + + + + 907c6bdb366962d766acdd6a0e3aeb5ff675ad1d641bc0f1fa09292b51b87979af5ecc26704d614d6056614ce5ada630d7fc99a7a62e0d8efb62dbdb3747660c + + + + MIT + + + pkg:npm/shebang-command@1.2.0 + + + https://github.com/kevva/shebang-command#readme + + + https://github.com/kevva/shebang-command/issues + + + git+https://github.com/kevva/shebang-command.git + + + + + Sindre Sorhus + shebang-regex + 1.0.0 + + + + + efef9d161b5cc77df9dee05aabc0c347836ec417ad0730bb6503a19934089c711de9b4ab5dd884cb30af1b4ed9e3851874b4a1594c97b7933fca1cfc7a471bd4 + + + + MIT + + + pkg:npm/shebang-regex@1.0.0 + + + https://github.com/sindresorhus/shebang-regex#readme + + + https://github.com/sindresorhus/shebang-regex/issues + + + git+https://github.com/sindresorhus/shebang-regex.git + + + + + Isaac Z. Schlueter + which + 1.3.1 + + + + + 04b2374e5d535b73ef97bd25df2ab763ae22f9ac29c17aac181616924a8cb676d782b303fb28fbae15b492e103c7325a6171a3116e6881aa4a34c10a34c8e26c + + + + ISC + + + pkg:npm/which@1.3.1 + + + https://github.com/isaacs/node-which#readme + + + https://github.com/isaacs/node-which/issues + + + git://github.com/isaacs/node-which.git + + + + + Isaac Z. Schlueter + isexe + 2.0.0 + + + + + e8fbf374dc556ff8947a10dcb0572d633f2cfa10 + + + + ISC + + + pkg:npm/isexe@2.0.0 + + + https://github.com/isaacs/isexe#readme + + + https://github.com/isaacs/isexe/issues + + + git+https://github.com/isaacs/isexe.git + + + + + Jon Schlinkert + each-parallel-async + 1.0.0 + + + + + 3fff642d08908f4bd9373a61bca29381180c9e5aace5c26cc5e022ba88358eb527c2fd19de1554c090d088fecc9cb6f623d4b5e6747d49151c7854fd231b6a46 + + + + MIT + + + pkg:npm/each-parallel-async@1.0.0 + + + https://github.com/jonschlinkert/each-parallel-async + + + https://github.com/jonschlinkert/each-parallel-async/issues + + + git+https://github.com/jonschlinkert/each-parallel-async.git + + + + + Jon Schlinkert + extend-shallow + 2.0.1 + + + + + 51af7d614ad9a9f610ea1bafbb989d6b1c56890f + + + + MIT + + + pkg:npm/extend-shallow@2.0.1 + + + https://github.com/jonschlinkert/extend-shallow + + + https://github.com/jonschlinkert/extend-shallow/issues + + + git+https://github.com/jonschlinkert/extend-shallow.git + + + + + Jon Schlinkert + is-extendable + 0.1.1 + + + + + 62b110e289a471418e3ec36a617d472e301dfc89 + + + + MIT + + + pkg:npm/is-extendable@0.1.1 + + + https://github.com/jonschlinkert/is-extendable + + + https://github.com/jonschlinkert/is-extendable/issues + + + git+https://github.com/jonschlinkert/is-extendable.git + + + + + Jon Schlinkert + is-extglob + 2.1.1 + + + + + a88c02535791f02ed37c76a1b9ea9773c833f8c2 + + + + MIT + + + pkg:npm/is-extglob@2.1.1 + + + https://github.com/jonschlinkert/is-extglob + + + https://github.com/jonschlinkert/is-extglob/issues + + + git+https://github.com/jonschlinkert/is-extglob.git + + + + + Jon Schlinkert + is-glob + 4.0.3 + + + + + c5e9526b21c7dfa66013b6568658bba56df884d6cd97c3a3bf92959a4243e2105d0f7b61f137e4f6f61ab0b33e99758e6611648197f184b4a7af046be1e9524a + + + + MIT + + + pkg:npm/is-glob@4.0.3 + + + https://github.com/micromatch/is-glob + + + https://github.com/micromatch/is-glob/issues + + + git+https://github.com/micromatch/is-glob.git + + + + + Marak Squires + colors + 1.4.0 + + + + + 6be52a4e1e2481983f4a51af7dbcc31e9811bbb00040e9a6a911c99f185164808a1544fdd5bad584d36de7c08c594f4fb016efdcf0c26541db571b83887da6b4 + + + + MIT + + + pkg:npm/colors@1.4.0 + + + https://github.com/Marak/colors.js + + + https://github.com/Marak/colors.js/issues + + + git+ssh://git@github.com/Marak/colors.js.git + + + + + TJ Holowaychuk + commander + 7.2.0 + + + + + 3a44cbf6e99ff877b60d9914abc7fc27da1fef22fa449288db875521306635f6419ab8bdcd8650aca92e5e22a1c9f3d2bbcb5486754107588a5debef9e54785b + + + + MIT + + + pkg:npm/commander@7.2.0 + + + https://github.com/tj/commander.js#readme + + + https://github.com/tj/commander.js/issues + + + git+https://github.com/tj/commander.js.git + + + + + Ryan Van Etten + eol + 0.9.1 + + + + + 0ecfd3128663c20811a33fd0d8eed21378b8266eba9aa4c37e674776affb0ca564ddbae8f50f21e9675729d3ea14b328ab1ac32b94954731d53ce4babae1adae + + + + MIT + + + pkg:npm/eol@0.9.1 + + + https://github.com/ryanve/eol + + + https://github.com/ryanve/eol/issues + + + git+https://github.com/ryanve/eol.git + + + + + John-David Dalton + lodash + 4.17.21 + + + + + bf690311ee7b95e713ba568322e3533f2dd1cb880b189e99d4edef13592b81764daec43e2c54c61d5c558dc5cfb35ecb85b65519e74026ff17675b6f8f916f4a + + + + MIT + + + pkg:npm/lodash@4.17.21 + + + https://lodash.com/ + + + https://github.com/lodash/lodash/issues + + + git+https://github.com/lodash/lodash.git + + + + + Aram Drevekenin + nmtree + 1.0.6 + + + + + 4943c2a325f9c3f94e4fac03fcf644ca647e27cf7df7ce2d6043988ee0ea42520e797e4d49bd4c12c09c4f46b3f9d8590f430b023e61181644a4a431b8376788 + + + + MIT + + + pkg:npm/nmtree@1.0.6 + + + https://github.com/imsnif/nmtree#readme + + + https://github.com/imsnif/nmtree/issues + + + git+https://github.com/imsnif/nmtree.git + + + + + TJ Holowaychuk + commander + 2.20.3 + + + + + 3a44cbf6e99ff877b60d9914abc7fc27da1fef22fa449288db875521306635f6419ab8bdcd8650aca92e5e22a1c9f3d2bbcb5486754107588a5debef9e54785b + + + + MIT + + + pkg:npm/commander@2.20.3 + + + https://github.com/tj/commander.js#readme + + + https://github.com/tj/commander.js/issues + + + git+https://github.com/tj/commander.js.git + + + + + semver + 7.3.5 + + + + + 6f7f5305a4d27d5eb206b6a953cf69e5f29e904da6fcdc270e870e56bb90152d7fbde320773b8f72738cdf833a0b0c56f231ff97111ae6b0680de530bb91c74f + + + + ISC + + + pkg:npm/semver@7.3.5 + + + https://github.com/npm/node-semver#readme + + + https://github.com/npm/node-semver/issues + + + git+https://github.com/npm/node-semver.git + + + + + Isaac Z. Schlueter + lru-cache + 6.0.0 + + + + + 268e9d274e029928eece7c09492de951e5a677f1f47df4e59175e0c198be7aad540a6a90c0287e78bb183980b063df758b615a878875044302c78a938466ec88 + + + + ISC + + + pkg:npm/lru-cache@6.0.0 + + + https://github.com/isaacs/node-lru-cache#readme + + + https://github.com/isaacs/node-lru-cache/issues + + + git://github.com/isaacs/node-lru-cache.git + + + + + Keith Cirkel + sort-object-keys + 1.1.3 + + + + + f39e69bcaf95914ecf68a60f73e2639e6b781337a3407ca1845df7ab7d6a1bcc7b99a0f391e1610004e174261acb5d422123bea803308ce04ff9f3d97b420fca + + + + MIT + + + pkg:npm/sort-object-keys@1.1.3 + + + https://github.com/keithamus/sort-object-keys#readme + + + https://github.com/keithamus/sort-object-keys/issues + + + git+ssh://git@github.com/keithamus/sort-object-keys.git + + + + + uuid + 8.3.2 + + + + + f8d62cd9078c5b2f865853849bdc679fa1c20e9d25ed0043ee697cccb52627ef77439345d0da1c12b9f09139175453625f7fdfa42e9a7d2f0385bfe0cfb47b7a + + + + MIT + + + pkg:npm/uuid@8.3.2 + + + https://github.com/uuidjs/uuid#readme + + + https://github.com/uuidjs/uuid/issues + + + git+https://github.com/uuidjs/uuid.git + + + + + Ozgur Ozcitak + xmlbuilder + 15.1.1 + + + + + c8ca8606ab57c9e3757b74c662f80d803559de3f385b873090e5d0b30821a25e803e065669f7fd9676ef37b3076093a25ecbc63d7b634d8244882f49db0bfd12 + + + + MIT + + + pkg:npm/xmlbuilder@15.1.1 + + + http://github.com/oozcitak/xmlbuilder-js + + + http://github.com/oozcitak/xmlbuilder-js/issues + + + git://github.com/oozcitak/xmlbuilder-js.git + + + + + \ No newline at end of file diff --git a/model/Bom.js b/model/Bom.js index 995dfc90..3306c8af 100644 --- a/model/Bom.js +++ b/model/Bom.js @@ -168,23 +168,33 @@ class Bom extends CycloneDXObject { this._serialNumber = this.validateType('Serial number', value.String) } + /** + * @returns {string} + */ toJSON () { const json = { bomFormat: 'CycloneDX', specVersion: this._schemaVersion, - serialNumber: this._serialNumber, + serialNumber: process.env.BOM_REPRODUCIBLE + ? undefined + : this._serialNumber, version: this._version, metadata: this._metadata, - components: this._components, + components: this._components && this._components.length > 0 && process.env.BOM_REPRODUCIBLE + ? Array.from(this._components).sort((a, b) => a.compare(b)) + : this._components, dependencies: this._dependencies } return JSON.stringify(json, null, 2) } + /** + * @returns {string} + */ toXML () { const bom = builder.create('bom', { encoding: 'utf-8', separateArrayItems: true }) .att('xmlns', 'http://cyclonedx.org/schema/bom/' + this._schemaVersion) - if (this._serialNumber) { + if (this._serialNumber && !process.env.BOM_REPRODUCIBLE) { bom.att('serialNumber', this._serialNumber) } bom.att('version', this._version) @@ -196,11 +206,12 @@ class Bom extends CycloneDXObject { const componentsNode = bom.ele('components') if (this._components && this._components.length > 0) { - const value = [] - for (const component of this._components) { - value.push(component.toXML()) - } - componentsNode.ele(value) + componentsNode.ele( + (process.env.BOM_REPRODUCIBLE + ? Array.from(this._components).sort((a, b) => a.compare(b)) + : this._components + ).map(c => c.toXML()) + ) } if (this._dependencies && this._dependencies.length > 0) { diff --git a/model/Component.js b/model/Component.js index 81e8fae2..5576756a 100644 --- a/model/Component.js +++ b/model/Component.js @@ -29,13 +29,18 @@ const Swid = require('./Swid') /** * Component's scope * + * @see Component.supportedComponentScopes + * * @typedef {("required"|"optional"|"excluded")} Component.ComponentScope */ /** * Component's type * - * @typedef {("application"|"framework"|"library"|"container"|"operating-system"|"device"|"firmware"|"file")} Component.ComponentType + * @see Component.supportedComponentTypes + * + * @typedef {("application"|"framework"|"library"|"container"|"operating-system"|"device"|"firmware" + * |"file")} Component.ComponentType */ class Component extends CycloneDXObject { @@ -156,14 +161,14 @@ class Component extends CycloneDXObject { } /** - * @returns {Component.ComponentType[]} + * @returns {Array} */ static supportedComponentTypes () { return ['application', 'framework', 'library', 'container', 'operating-system', 'device', 'firmware', 'file'] } /** - * @returns {Component.ComponentScope[]} + * @returns {Array} */ static supportedComponentScopes () { return ['required', 'optional', 'excluded'] @@ -503,6 +508,22 @@ class Component extends CycloneDXObject { } } } + + /** + * Compare with another component. + * + * Compare purl, if exists; else compare group, name, version. + * + * @param {Component} other + * @return {number} + */ + compare (other) { + if (!(other instanceof Component)) { return 0 } + if (this.#purl || other.#purl) { return this.#purl.localeCompare(other.#purl) } + return (this.#group || '').localeCompare(other.#group || '') || + (this.#name).localeCompare(other.#name) || + (this.#version || '').localeCompare(other.#version || '') + } } module.exports = Component diff --git a/model/ExternalReference.js b/model/ExternalReference.js index d83092e2..6b45f363 100644 --- a/model/ExternalReference.js +++ b/model/ExternalReference.js @@ -19,49 +19,107 @@ const CycloneDXObject = require('./CycloneDXObject') +/** + * ExternalReference's type + * + * @see ExternalReference.validChoices + * + * @typedef {("vcs"|"issue-tracker"|"website"|"advisories"|"bom"|"mailing-list"|"social"|"chat" + * |"documentation"|"support"|"distribution"|"license"|"build-meta"|"build-system" + * |"other")} ExternalReference.ExternalReferenceType + */ + class ExternalReference extends CycloneDXObject { + /** @type {ExternalReference.ExternalReferenceType} */ + #type + /** @type {string} */ + #url + /** @type {(string|undefined)} */ + #comment + + /** + * @param {ExternalReference.ExternalReferenceType} type + * @param {string} url + * @param {(string|undefined|null)} [comment] + * @throws {TypeError} if param is not of expected type + */ constructor (type, url, comment) { super() - this._type = this.validateChoice('Reference type', type, this.validChoices()) - this._url = url - this._comment = comment + this.type = type + this.url = url + this.comment = comment } + /** @return {Array} */ validChoices () { return ['vcs', 'issue-tracker', 'website', 'advisories', 'bom', 'mailing-list', 'social', 'chat', - 'documentation', 'support', 'distribution', 'license', 'build-meta', 'build-system', 'other'] + 'documentation', 'support', 'distribution', 'license', 'build-meta', 'build-system', + 'other'] } + /** + * @return {string} + */ get url () { - return this._url + return this.#url } + /** + * @param {string} value + * @throws {TypeError} if value is not of expected type + */ set url (value) { - this._url = this.validateType('URL', value, String) + this.#url = this.validateType('URL', value, String, true) } + /** + * @return {ExternalReference.ExternalReferenceType} + */ get type () { - return this._type + return this.#type } + /** + * @param {ExternalReference.ExternalReferenceType} value + * @throws {TypeError} if value is not of expected type + */ set type (value) { - this._type = this.validateChoice('Reference type', value, this.validChoices()) + this.#type = this.validateChoice('Reference type', value, this.validChoices()) } + /** + * @return {(string|undefined)} + */ get comment () { - return this._comment + return this.#comment } + /** + * @param {(string|undefined|null)} value + * @throws {TypeError} if value is not of expected type + */ set comment (value) { - this._comment = this.validateType('Comment', value, String) + this.#comment = this.validateType('Comment', value, String) } toJSON () { - return { type: this._type, url: this._url } + return { type: this.#type, url: this.#url } } toXML () { - return { reference: { '@type': this._type, url: this._url } } + return { reference: { '@type': this.#type, url: this.#url } } + } + + /** + * Compare with another ExternalReference + * + * @param {ExternalReference} other + * @return {number} + */ + compare (other) { + if (!(other instanceof ExternalReference)) { return 0 } + return this.#type.localeCompare(other.#type) || + this.#url.localeCompare(other.#url) } } diff --git a/model/ExternalReferenceList.js b/model/ExternalReferenceList.js index 0755ced4..f74b45e9 100644 --- a/model/ExternalReferenceList.js +++ b/model/ExternalReferenceList.js @@ -20,8 +20,11 @@ const ExternalReference = require('./ExternalReference') class ExternalReferenceList { + /** @type {Array} */ + #externalReferences + constructor (pkg) { - this._externalReferences = [] + this.#externalReferences = [] if (pkg) { this.processExternalReferences(pkg) } @@ -32,46 +35,46 @@ class ExternalReferenceList { * @type {number} */ get length () { - return this._externalReferences - ? this._externalReferences.length + return this.#externalReferences + ? this.#externalReferences.length : 0 } get externalReferences () { - return this._externalReferences + return this.#externalReferences } set externalReferences (value) { if (!Array.isArray(value)) { throw new TypeError('ExternalReferencesList value must be an array of ExternalReference objects') } - this._externalReferences = value + this.#externalReferences = value } processExternalReferences (pkg) { - if (pkg.homepage && !ExternalReferenceList.isEligibleHomepage(pkg.homepage)) { - this._externalReferences.push(new ExternalReference('website', pkg.homepage)) + if (pkg.homepage && ExternalReferenceList.isEligibleHomepage(pkg.homepage)) { + this.#externalReferences.push(new ExternalReference('website', pkg.homepage)) } if (pkg.bugs && pkg.bugs.url) { - this._externalReferences.push(new ExternalReference('issue-tracker', pkg.bugs.url)) + this.#externalReferences.push(new ExternalReference('issue-tracker', pkg.bugs.url)) } if (pkg.repository && pkg.repository.url) { - this._externalReferences.push(new ExternalReference('vcs', pkg.repository.url)) + this.#externalReferences.push(new ExternalReference('vcs', pkg.repository.url)) } } /** - * Checks the eligibility of the package 'homepage' to be included in the externalReferences array * @param {string} homepage the package homepage * @returns {boolean} `true` if an eligible homepage */ static isEligibleHomepage (homepage) { - return /^https?:\/\/\.$/.test(homepage) + return /^https?:\/\//.test(homepage) && + homepage !== 'http://.' && homepage !== 'https://.' } toJSON () { const value = [] - for (const externalReference of this._externalReferences) { + for (const externalReference of this.#externalReferences) { value.push(externalReference.toJSON()) } return value @@ -79,7 +82,7 @@ class ExternalReferenceList { toXML () { const value = [] - for (const externalReference of this._externalReferences) { + for (const externalReference of this.#externalReferences) { value.push(externalReference.toXML()) } return value diff --git a/model/Hash.js b/model/Hash.js index baf5d121..7e14be0c 100644 --- a/model/Hash.js +++ b/model/Hash.js @@ -19,40 +19,86 @@ const CycloneDXObject = require('./CycloneDXObject') +/** + * HashAlgorithm + * + * @see Hash.validAlgorithms + * + * @typedef {("MD5"|"SHA-1"|"SHA-256"|"SHA-384"|"SHA-512"|"SHA3-256"|"SHA3-384" + * |"SHA3-512"|"BLAKE2b-256"|"BLAKE2b-384"|"BLAKE2b-512"|"BLAKE3")} Hash.HashAlgorithm + */ + class Hash extends CycloneDXObject { + /** @type {Hash.HashAlgorithm} */ + #algorithm + /** @type {string} */ + #value + + /** + * @param {Hash.HashAlgorithm} algorithm + * @param {string} value + * @throws {TypeError} if param is not of expected type + */ constructor (algorithm, value) { super() - this._algorithm = this.validateChoice('Algorithm', algorithm, this.validAlgorithms()) - this._value = value + this.algorithm = algorithm + this.value = value } + /** @return {Array} */ validAlgorithms () { return ['MD5', 'SHA-1', 'SHA-256', 'SHA-384', 'SHA-512', 'SHA3-256', 'SHA3-384', 'SHA3-512', 'BLAKE2b-256', 'BLAKE2b-384', 'BLAKE2b-512', 'BLAKE3'] } + /** + * @return {Hash.HashAlgorithm} + */ get algorithm () { - return this._algorithm + return this.#algorithm } + /** + * @param {Hash.HashAlgorithm} value + * @throws {TypeError} if value is not of expected type + */ set algorithm (value) { - this._algorithm = this.validateChoice('Algorithm', value, this.validAlgorithms()) + this.#algorithm = this.validateChoice('Algorithm', value, this.validAlgorithms()) } + /** + * @return {string} + */ get value () { - return this._value + return this.#value } + /** + * @param {string} value + * @throws {TypeError} if value is not of expected type + */ set value (value) { - this._value = this.validateType('Hash value', value, String) + this.#value = this.validateType('Hash value', value, String, true) } toJSON () { - return { alg: this._algorithm, content: this._value } + return { alg: this.#algorithm, content: this.#value } } toXML () { - return { hash: { '@alg': this._algorithm, '#text': this._value } } + return { hash: { '@alg': this.#algorithm, '#text': this.#value } } + } + + /** + * Compare with another Hash. + * + * @param {Hash} other + * @return {number} + */ + compare (other) { + if (!(other instanceof Hash)) { return 0 } + return this.#algorithm.localeCompare(other.#algorithm) || + this.#value.localeCompare(other.#value) } } diff --git a/model/HashList.js b/model/HashList.js index 94446e47..c653ebc3 100644 --- a/model/HashList.js +++ b/model/HashList.js @@ -21,8 +21,11 @@ const ssri = require('ssri') const Hash = require('./Hash') class HashList { + /** @type {Array} */ + #hashes + constructor (pkg, lockfile) { - this._hashes = [] + this.#hashes = [] if (pkg) { this.processHashes(pkg, lockfile) } @@ -33,20 +36,20 @@ class HashList { * @type {number} */ get length () { - return this._hashes - ? this._hashes.length + return this.#hashes + ? this.#hashes.length : 0 } get hashes () { - return this._hashes + return this.#hashes } set hashes (value) { if (!Array.isArray(value)) { throw new TypeError('HashList value must be an array of Hash objects') } - this._hashes = value + this.#hashes = value } processHashes (pkg, lockfile) { @@ -57,7 +60,7 @@ class HashList { this.formatHash(ssri.parse(lockfile.dependencies[pkg.name].integrity)) } } else if (pkg._shasum) { - this._hashes.push(new Hash('SHA-1', pkg._shasum)) + this.#hashes.push(new Hash('SHA-1', pkg._shasum)) } else if (pkg._integrity) { this.formatHash(ssri.parse(pkg._integrity)) } @@ -67,16 +70,16 @@ class HashList { // Components may have multiple hashes with various lengths. Check each one // that is supported by the CycloneDX specification. if (Object.prototype.hasOwnProperty.call(integrity, 'sha512')) { - this._hashes.push(this.createHash('SHA-512', integrity.sha512[0].digest)) + this.#hashes.push(this.createHash('SHA-512', integrity.sha512[0].digest)) } if (Object.prototype.hasOwnProperty.call(integrity, 'sha384')) { - this._hashes.push(this.createHash('SHA-384', integrity.sha384[0].digest)) + this.#hashes.push(this.createHash('SHA-384', integrity.sha384[0].digest)) } if (Object.prototype.hasOwnProperty.call(integrity, 'sha256')) { - this._hashes.push(this.createHash('SHA-256', integrity.sha256[0].digest)) + this.#hashes.push(this.createHash('SHA-256', integrity.sha256[0].digest)) } if (Object.prototype.hasOwnProperty.call(integrity, 'sha1')) { - this._hashes.push(this.createHash('SHA-1', integrity.sha1[0].digest)) + this.#hashes.push(this.createHash('SHA-1', integrity.sha1[0].digest)) } } @@ -86,19 +89,17 @@ class HashList { } toJSON () { - const value = [] - for (const hash of this._hashes) { - value.push(hash.toJSON()) - } - return value + const hashes = this.#hashes.length > 0 && process.env.BOM_REPRODUCIBLE + ? Array.from(this.#hashes).sort((a, b) => a.compare(b)) + : this.#hashes + return hashes.map(h => h.toJSON()) } toXML () { - const value = [] - for (const hash of this._hashes) { - value.push(hash.toXML()) - } - return value + const hashes = this.#hashes.length > 0 && process.env.BOM_REPRODUCIBLE + ? Array.from(this.#hashes).sort((a, b) => a.compare(b)) + : this.#hashes + return hashes.map(h => h.toXML()) } } diff --git a/model/Metadata.js b/model/Metadata.js index b696953f..0eeba0f9 100644 --- a/model/Metadata.js +++ b/model/Metadata.js @@ -100,7 +100,7 @@ class Metadata extends CycloneDXObject { toJSON () { return { - timestamp: (this._timestamp) ? this._timestamp.toISOString() : undefined, + timestamp: (this._timestamp && !process.env.BOM_REPRODUCIBLE) ? this._timestamp.toISOString() : undefined, tools: (this._tools && this._tools.length > 0) ? this.processArray(this._tools, 'JSON') : undefined, authors: (this._authors && this._authors.length > 0) ? this.processArray(this._authors, 'JSON') : undefined, component: (this._component) ? this._component.toJSON() : undefined, @@ -111,7 +111,7 @@ class Metadata extends CycloneDXObject { toXML () { return { - timestamp: (this._timestamp) ? this._timestamp.toISOString() : undefined, + timestamp: (this._timestamp && !process.env.BOM_REPRODUCIBLE) ? this._timestamp.toISOString() : undefined, tools: (this._tools && this._tools.length > 0) ? this.processArray(this._tools, 'XML') : undefined, authors: (this._authors && this._authors.length > 0) ? this.processArray(this._authors, 'XML') : undefined, component: (this._component) ? this._component.toXML().component : undefined, diff --git a/package.json b/package.json index 55888d9a..3d49415b 100644 --- a/package.json +++ b/package.json @@ -39,8 +39,8 @@ }, "scripts": { "setup-tests": "node tests/integration/setup.js", - "test": "npm run test:unit && npm run test:standard", - "test:unit": "jest", + "test": "npm run test:jest && npm run test:standard", + "test:jest": "jest", "test:standard": "standard -v", "cs-fix": "standard --fix", "generate-jsdocs": "rm -rf docs/jsdoc && jsdoc -P package.json -d docs/jsdoc -r index.js model -R README.md --verbose", diff --git a/tests/integration/__snapshots__/index.test.js.snap b/tests/integration/__snapshots__/index.test.js.snap index 9f0a811f..2b03f43a 100644 --- a/tests/integration/__snapshots__/index.test.js.snap +++ b/tests/integration/__snapshots__/index.test.js.snap @@ -6,7 +6,6 @@ exports[`integration: produce a BOM that includes hashes from package-lock.json \\"specVersion\\": \\"1.3\\", \\"version\\": 1, \\"metadata\\": { - \\"timestamp\\": \\"2020-01-01T01:00:00.000Z\\", \\"tools\\": [ { \\"vendor\\": \\"CycloneDX\\", @@ -1633,7 +1632,6 @@ exports[`integration: produce a BOM that includes hashes from package-lock.json " - 2020-01-01T01:00:00.000Z CycloneDX @@ -2815,7 +2813,6 @@ exports[`integration: produce a BOM that is empty as JSON 1`] = ` \\"specVersion\\": \\"1.3\\", \\"version\\": 1, \\"metadata\\": { - \\"timestamp\\": \\"2020-01-01T01:00:00.000Z\\", \\"tools\\": [ { \\"vendor\\": \\"CycloneDX\\", @@ -2840,7 +2837,6 @@ exports[`integration: produce a BOM that is empty as XML 1`] = ` " - 2020-01-01T01:00:00.000Z CycloneDX @@ -2865,7 +2861,6 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"specVersion\\": \\"1.3\\", \\"version\\": 1, \\"metadata\\": { - \\"timestamp\\": \\"2020-01-01T01:00:00.000Z\\", \\"tools\\": [ { \\"vendor\\": \\"CycloneDX\\", @@ -2949,13 +2944,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"1.0.2\\", \\"description\\": \\"Match balanced character pairs, like \\\\\\"{\\\\\\" and \\\\\\"}\\\\\\"\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"de849e50ed13315ebb84dd4099b5ec2b8c9aa94eed8e21e56f144364ea47d0a5bdf82797e1b440697d009f1b74b71d8cae94695b041a3f02252121098585393f\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"e83e3a7e3f300b34cb9d87f615fa0cbf357690ee\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"de849e50ed13315ebb84dd4099b5ec2b8c9aa94eed8e21e56f144364ea47d0a5bdf82797e1b440697d009f1b74b71d8cae94695b041a3f02252121098585393f\\" } ], \\"licenses\\": [ @@ -2989,13 +2984,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"1.1.11\\", \\"description\\": \\"Brace expansion as known from sh/bash\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"882b8f1c3160ac75fb1f6bc423fe71a73d3bcd21c1d344e9ba0aa1998b5598c3bae75f260ae44ca0e60595d101974835f3bb9fa3375a1e058a71815beb5a8688\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"3c7fcbf529d87226f3d2f52b966ff5271eb441dd\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"882b8f1c3160ac75fb1f6bc423fe71a73d3bcd21c1d344e9ba0aa1998b5598c3bae75f260ae44ca0e60595d101974835f3bb9fa3375a1e058a71815beb5a8688\\" } ], \\"licenses\\": [ @@ -3101,13 +3096,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"1.0.4\\", \\"description\\": \\"Contain async insanity so that the dark pony lord doesn't eat souls\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"ad748fd1b7fee67d10a27b1bf925557cd7c8b2298ee0712d9a72293c763c435502cca950ac331f7686ebf2724e3ac460582c8c46a792050ce659432aef3bd58a\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"751235260469084c132157dfa857f386d4c33d81\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"ad748fd1b7fee67d10a27b1bf925557cd7c8b2298ee0712d9a72293c763c435502cca950ac331f7686ebf2724e3ac460582c8c46a792050ce659432aef3bd58a\\" } ], \\"licenses\\": [ @@ -3141,13 +3136,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"3.5.2\\", \\"description\\": \\"Delicious, festive, cascading config/opts definitions\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"d1bb6723f1fc7f6a5abc630df30e349a548a39f4cad925499817c1795223de4370d2cc30833c91ab47794c954ec287459adbe93de58f37f30271fb961741336f\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"b4eee8148abb01dcf1d1ac34367d59e12fa61d6e\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"d1bb6723f1fc7f6a5abc630df30e349a548a39f4cad925499817c1795223de4370d2cc30833c91ab47794c954ec287459adbe93de58f37f30271fb961741336f\\" } ], \\"licenses\\": [ @@ -3217,13 +3212,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"1.1.1\\", \\"description\\": \\"Implementation of Function.prototype.bind\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"c88a2f033317e3db05f18979f1f482589e6cbd22ee6a26cfc5740914b98139b4ee0abd0c7f52a23e8a4633d3621638980426df69ad8587a6eb790e803554c8d0\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"a56899d3ea3c9bab874bb9773b7c5ede92f4895d\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"c88a2f033317e3db05f18979f1f482589e6cbd22ee6a26cfc5740914b98139b4ee0abd0c7f52a23e8a4633d3621638980426df69ad8587a6eb790e803554c8d0\\" } ], \\"licenses\\": [ @@ -3257,13 +3252,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"7.2.0\\", \\"description\\": \\"a little globber\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"9662dfea0b72acfabcb538d29ab3bde3005e41b151dc76cb1dbbb20faf70bb2424226a76856a8c181e3b397eb914190f7df3bae3520ff6359ad73e22bea1b6e9\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"d15535af7732e02e948f4c41628bd910293f6023\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"9662dfea0b72acfabcb538d29ab3bde3005e41b151dc76cb1dbbb20faf70bb2424226a76856a8c181e3b397eb914190f7df3bae3520ff6359ad73e22bea1b6e9\\" } ], \\"licenses\\": [ @@ -3296,13 +3291,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"4.2.10\\", \\"description\\": \\"A drop-in replacement for fs, making various improvements.\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"f41ca1b2c4767cf56c3598f8efca9451b29f98bd3eb790435728d286dc9964b88aed90c002b1457e8a723938f4334e70136b493e2b00e224e79d79766283ef38\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"147d3a006da4ca3ce14728c7aefc287c367d7a6c\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"f41ca1b2c4767cf56c3598f8efca9451b29f98bd3eb790435728d286dc9964b88aed90c002b1457e8a723938f4334e70136b493e2b00e224e79d79766283ef38\\" } ], \\"licenses\\": [ @@ -3336,13 +3331,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"1.0.3\\", \\"description\\": \\"Object.prototype.hasOwnProperty.call shortcut\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"7f676f3b4554e8e7a3ed1916246ade8636f33008c5a79fd528fa79b53a56215e091c764ad7f0716c546d7ffb220364964ded3d71a0e656d618cd61086c14b8cf\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"722d7cbfc1f6aa8241f16dd814e011e1f41e8796\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"7f676f3b4554e8e7a3ed1916246ade8636f33008c5a79fd528fa79b53a56215e091c764ad7f0716c546d7ffb220364964ded3d71a0e656d618cd61086c14b8cf\\" } ], \\"licenses\\": [ @@ -3376,13 +3371,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"2.8.9\\", \\"description\\": \\"Provides metadata and conversions from repository urls for Github, Bitbucket and Gitlab\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"9b120301bf4bb26e83a0e27bc47fb9f97e32d4b53fe078b9d0bf42e6c22cc0adc9cd42d2e1bc24d45be374182f611e1bcd3e2db944220b5e451367f91db2ef63\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"dffc0bf9a21c02209090f2aa69429e1414daf3f9\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"9b120301bf4bb26e83a0e27bc47fb9f97e32d4b53fe078b9d0bf42e6c22cc0adc9cd42d2e1bc24d45be374182f611e1bcd3e2db944220b5e451367f91db2ef63\\" } ], \\"licenses\\": [ @@ -3451,13 +3446,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"2.0.4\\", \\"description\\": \\"Browser-friendly inheritance fully compatible with standard node.js inherits()\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"93fbc6697e3f6256b75b3c8c0af4d039761e207bea38ab67a8176ecd31e9ce9419cc0b2428c859d8af849c189233dcc64a820578ca572b16b8758799210a9ec1\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"0fa2c64f932917c3433a0ded55363aae37416b7c\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"93fbc6697e3f6256b75b3c8c0af4d039761e207bea38ab67a8176ecd31e9ce9419cc0b2428c859d8af849c189233dcc64a820578ca572b16b8758799210a9ec1\\" } ], \\"licenses\\": [ @@ -3491,13 +3486,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"2.8.1\\", \\"description\\": \\"Is this specifier a node.js core module?\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"49d34252cdbce21af8d2115314fea5d087d9fd14ab317177aa0a111dddffefdba7513beb14efc9a17c241a6fb927f39edc4fdbe46b271b7df4b94360469bb53c\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"f59fdfca701d5879d0a6b100a40aa1560ce27211\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"49d34252cdbce21af8d2115314fea5d087d9fd14ab317177aa0a111dddffefdba7513beb14efc9a17c241a6fb927f39edc4fdbe46b271b7df4b94360469bb53c\\" } ], \\"licenses\\": [ @@ -3531,13 +3526,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"2.3.1\\", \\"description\\": \\"JSON.parse with context information on error\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"c72170ca1ae8fc91287fa1a17b68b3d8d717a23dac96836c5abfd7b044432bfa223c27da36197938d7e9fa341d01945043420958dcc7f7321917b962f75921db\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"7c47805a94319928e05777405dc12e1f7a4ee02d\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"c72170ca1ae8fc91287fa1a17b68b3d8d717a23dac96836c5abfd7b044432bfa223c27da36197938d7e9fa341d01945043420958dcc7f7321917b962f75921db\\" } ], \\"licenses\\": [ @@ -3571,13 +3566,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"3.1.2\\", \\"description\\": \\"a glob matcher in javascript\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"27ba7ade1462023c35343130c355bb8b7efe07222b3963b95d0400cd9dd539c2f43cdc9bc297e657f374e73140cf043d512c84717eaddd43be2b96aa0503881f\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"19cd194bfd3e428f049a70817c038d89ab4be35b\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"27ba7ade1462023c35343130c355bb8b7efe07222b3963b95d0400cd9dd539c2f43cdc9bc297e657f374e73140cf043d512c84717eaddd43be2b96aa0503881f\\" } ], \\"licenses\\": [ @@ -3611,13 +3606,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"2.5.0\\", \\"description\\": \\"Normalizes data that can be found in package.json files.\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"ff908c3774f44785d38f80dc19a7b1a3eae8652752156ff400e39344eae3c73086d70ad65c4b066d129ebe39482fe643138b19949af9103e185b4caa9a42be78\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"e66db1838b200c1dfc233225d12cb36520e234a8\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"ff908c3774f44785d38f80dc19a7b1a3eae8652752156ff400e39344eae3c73086d70ad65c4b066d129ebe39482fe643138b19949af9103e185b4caa9a42be78\\" } ], \\"licenses\\": [ @@ -3651,13 +3646,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"1.0.1\\", \\"description\\": \\"Turn any flavor of allowable package.json bin into a normalized object\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"10f7da7e5e892f9feb53ea2de8fde04520a93c35b95662335fde7d39bd7ec92154bae6075877a45e9c1d51970a3f90be0d2e0612d74996ec018e7b0d0e5f9f48\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"6e79a41f23fd235c0623218228da7d9c23b8f6e2\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"10f7da7e5e892f9feb53ea2de8fde04520a93c35b95662335fde7d39bd7ec92154bae6075877a45e9c1d51970a3f90be0d2e0612d74996ec018e7b0d0e5f9f48\\" } ], \\"licenses\\": [ @@ -3727,13 +3722,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"0.0.1\\", \\"description\\": \\"JavaScript library to parse and build \\\\\\"purl\\\\\\" aka. package URLs. This is a microlibrary implementing the purl spec at https://github.com/package-url\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"863333aba5ee03130c895e7950e2217fa6f25ca47d15cd38eb26eba060a98c6b49e4423d4091bd83f12b6283edd11194680af9d42eb1fa9c141bda5780b9daaa\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"ebd97e50cb812a1903b42c7950d9728acbf8d104\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"863333aba5ee03130c895e7950e2217fa6f25ca47d15cd38eb26eba060a98c6b49e4423d4091bd83f12b6283edd11194680af9d42eb1fa9c141bda5780b9daaa\\" } ], \\"licenses\\": [ @@ -3839,13 +3834,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"1.0.7\\", \\"description\\": \\"Node.js path.parse() ponyfill\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"2c32733d510410f47ecb8f33f7703411dd325dbf29001c865a8fe4e5861d620a58dbfd84b0eb24b09aeaee5387c6bcab54e9f57a31baa00a7c6a1bce2100fcb3\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"fbc114b60ca42b30d9daf5858e4bd68bbedb6735\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"2c32733d510410f47ecb8f33f7703411dd325dbf29001c865a8fe4e5861d620a58dbfd84b0eb24b09aeaee5387c6bcab54e9f57a31baa00a7c6a1bce2100fcb3\\" } ], \\"licenses\\": [ @@ -3951,13 +3946,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"2.1.2\\", \\"description\\": \\"The thing npm uses to read package.json files with semantics and defaults and validation\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"0f52a6b8b42be994894b4b56f217f7586a51970b3324e5d9dc4f1877f0cd45a33977ed7055165d1e5a4604b02ea2f8ebdbc2db5af8e95a4047331a511868f334\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"6992b2b66c7177259feb8eaac73c3acd28b9222a\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"0f52a6b8b42be994894b4b56f217f7586a51970b3324e5d9dc4f1877f0cd45a33977ed7055165d1e5a4604b02ea2f8ebdbc2db5af8e95a4047331a511868f334\\" } ], \\"licenses\\": [ @@ -3991,13 +3986,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"1.1.0\\", \\"description\\": \\"Like \`fs.readdir\` but handling \`@org/module\` dirs as if they were a single entry.\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"6ac6a29037aa01083b2627d1b199f5349657a3d13e57097209f6e4661c322128a7aa4e73352eb6eba1d2e646a1e8fd1269028617a4a43676551d4cc7158c580f\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"8d45407b4f870a0dcaebc0e28670d18e74514309\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"6ac6a29037aa01083b2627d1b199f5349657a3d13e57097209f6e4661c322128a7aa4e73352eb6eba1d2e646a1e8fd1269028617a4a43676551d4cc7158c580f\\" } ], \\"licenses\\": [ @@ -4031,13 +4026,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"1.22.0\\", \\"description\\": \\"resolve like require.resolve() on behalf of files asynchronously and synchronously\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"1e1b6bc349cb792ac543ba613e9e0e39c5632cf21e327465af999c9d5b8c7bb33fede067f7c0378661512e8168dc32d9922bd26308515094f23f2580939e962f\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"5e0b8c67c15df57a89bdbabe603a002f21731198\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"1e1b6bc349cb792ac543ba613e9e0e39c5632cf21e327465af999c9d5b8c7bb33fede067f7c0378661512e8168dc32d9922bd26308515094f23f2580939e962f\\" } ], \\"licenses\\": [ @@ -4070,13 +4065,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"5.7.1\\", \\"description\\": \\"The semantic version parser used by npm.\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"b1ab9a0dffcf65d560acb4cd60746da576b589188a71a79b88a435049769425587da50af7b141d5f9e6c9cf1722bb433a6e76a6c2234a9715f39ab0777234319\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"a954f931aeba508d307bbf069eff0c01c96116f7\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"b1ab9a0dffcf65d560acb4cd60746da576b589188a71a79b88a435049769425587da50af7b141d5f9e6c9cf1722bb433a6e76a6c2234a9715f39ab0777234319\\" } ], \\"licenses\\": [ @@ -4146,13 +4141,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"3.1.1\\", \\"description\\": \\"correct invalid SPDX expressions\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"70e61c516c210ae1c25e2e3d4611510b22442b788f8f5662cfd0e9562577b5b64ec170f8f50cc837732938b24dc61daac2ada524965a28c570f6a362e234c2d3\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"dece81ac9c1e6713e5f7d1b6f17d468fa53d89a9\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"70e61c516c210ae1c25e2e3d4611510b22442b788f8f5662cfd0e9562577b5b64ec170f8f50cc837732938b24dc61daac2ada524965a28c570f6a362e234c2d3\\" } ], \\"licenses\\": [ @@ -4186,13 +4181,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"2.3.0\\", \\"description\\": \\"list of SPDX standard license exceptions\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"fed4eb60e0bb3cf2359d4020c77e21529a97bb2246f834c72539c850b1b8ac3ca08b8c6efed7e09aad5ed5c211c11cf0660a3834bc928beae270b919930e22e4\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"3f28ce1a77a00372683eade4a433183527a2163d\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"fed4eb60e0bb3cf2359d4020c77e21529a97bb2246f834c72539c850b1b8ac3ca08b8c6efed7e09aad5ed5c211c11cf0660a3834bc928beae270b919930e22e4\\" } ], \\"licenses\\": [ @@ -4226,13 +4221,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"3.0.1\\", \\"description\\": \\"parse SPDX license expressions\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"71ba87ba7b105a724d13a2a155232c31e1f91ff2fd129ca66f3a93437b8bc0d08b675438f35a166a87ea1fb9cee95d3bc655f063a3e141d43621e756c7f64ae1\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"cf70f50482eefdc98e3ce0a6833e4a53ceeba679\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"71ba87ba7b105a724d13a2a155232c31e1f91ff2fd129ca66f3a93437b8bc0d08b675438f35a166a87ea1fb9cee95d3bc655f063a3e141d43621e756c7f64ae1\\" } ], \\"licenses\\": [ @@ -4266,13 +4261,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"3.0.11\\", \\"description\\": \\"A list of SPDX license identifiers\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"0ad97606b1623345f7300358823dc29328318519abf668bac617a36dd3bdeb49c5e840c90294d8a67d014270ca96734150b2a208dd67df0f440641caf195a0fa\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"50c0d8c40a14ec1bf449bae69a0ea4685a9d9f95\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"0ad97606b1623345f7300358823dc29328318519abf668bac617a36dd3bdeb49c5e840c90294d8a67d014270ca96734150b2a208dd67df0f440641caf195a0fa\\" } ], \\"licenses\\": [ @@ -4306,13 +4301,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"6.0.2\\", \\"description\\": \\"Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"71ea5b4aafe77852bbc41e80e74287374c470e8b58ceae7cc1609ae4b796aa73eb1c6f06cdf1233bfe0ef24a667065bea1ac64be110909681b80d938fd957ddd\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"157939134f20464e7301ddba3e90ffa8f7728ac5\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"71ea5b4aafe77852bbc41e80e74287374c470e8b58ceae7cc1609ae4b796aa73eb1c6f06cdf1233bfe0ef24a667065bea1ac64be110909681b80d938fd957ddd\\" } ], \\"licenses\\": [ @@ -4346,13 +4341,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"1.0.0\\", \\"description\\": \\"Determine if the current node version supports the \`--preserve-symlinks\` flag.\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"a2dd169d74bd7e076480871e3dee911cd935580f3e9ae3dae9c4a3791dd5f0adbbabd041d6b4c4dd1d69ec7bf4cf567201cf2ce95beff0323259febcd4c02dd3\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"6eda4bd344a3c94aea376d4cc31bc77311039e09\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"a2dd169d74bd7e076480871e3dee911cd935580f3e9ae3dae9c4a3791dd5f0adbbabd041d6b4c4dd1d69ec7bf4cf567201cf2ce95beff0323259febcd4c02dd3\\" } ], \\"licenses\\": [ @@ -4386,13 +4381,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"1.19.11\\", \\"description\\": \\"URI.js is a Javascript library for working with URLs.\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"1d78050e00e89a6c67e7f6c8bf4727419b0f8470c0f7434f1c3ebe73fbf6d54e7e4b1e61a0ff3e74ff48657054d6021fbdd45f846f1c7a5f5034f7a2a277dc09\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"204b0d6b605ae80bea54bea39280cdb7c9f923cc\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"1d78050e00e89a6c67e7f6c8bf4727419b0f8470c0f7434f1c3ebe73fbf6d54e7e4b1e61a0ff3e74ff48657054d6021fbdd45f846f1c7a5f5034f7a2a277dc09\\" } ], \\"licenses\\": [ @@ -4460,13 +4455,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"3.4.0\\", \\"description\\": \\"RFC4122 (v1, v4, and v5) UUIDs\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"1e3483470ea0644e4932081cb4705c8d56a4d3cf8a1158522220f31674fd4bd69e826a7ce52fdb45e0554dbe104c5691369b49f64b9868d8676cd10e91b29bfc\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"b23e4358afa8a202fe7a100af1f5f883f02007ee\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"1e3483470ea0644e4932081cb4705c8d56a4d3cf8a1158522220f31674fd4bd69e826a7ce52fdb45e0554dbe104c5691369b49f64b9868d8676cd10e91b29bfc\\" } ], \\"licenses\\": [ @@ -4500,13 +4495,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"3.0.4\\", \\"description\\": \\"Give me a string and I'll tell you if it's a valid npm package license string\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"0e92a6d948bfc4deff1d0282b69671a11581859f59d24aadca01bc5c280d43c6650e7c6e4265a18f9eba8fc7cde02bb7fc999b86c0e8edf70026ae2cf61dbb13\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"fc91f6b9c7ba15c857f4cb2c5defeec39d4f410a\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"0e92a6d948bfc4deff1d0282b69671a11581859f59d24aadca01bc5c280d43c6650e7c6e4265a18f9eba8fc7cde02bb7fc999b86c0e8edf70026ae2cf61dbb13\\" } ], \\"licenses\\": [ @@ -4576,13 +4571,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"13.0.2\\", \\"description\\": \\"An XML builder for node.js\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"12ec748b641d0d829b75b03a00ceb11389ba65366be06e3117d91a848dae91210c0b3c1c7b6797f56953239277b3e354ee1a5ab05b2bf2158838d69eecb96e01\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"02ae33614b6a047d1c32b5389c1fdacb2bce47a7\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"12ec748b641d0d829b75b03a00ceb11389ba65366be06e3117d91a848dae91210c0b3c1c7b6797f56953239277b3e354ee1a5ab05b2bf2158838d69eecb96e01\\" } ], \\"licenses\\": [ @@ -4616,13 +4611,13 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js \\"version\\": \\"0.2.1\\", \\"description\\": \\"A W3C Standard XML DOM(Level2 CORE) implementation and parser(DOMParser/XMLSerializer).\\", \\"hashes\\": [ - { - \\"alg\\": \\"SHA-512\\", - \\"content\\": \\"9175e262f99b9488047a619e07be72f7b1726996afc7a490846a692f0e53296003d96774280972d20db77952e1d7b61ca716699c5ca6d5093f79a463cb500f3e\\" - }, { \\"alg\\": \\"SHA-1\\", \\"content\\": \\"cac9465066f161e1c3302793ea4dbe59c518274f\\" + }, + { + \\"alg\\": \\"SHA-512\\", + \\"content\\": \\"9175e262f99b9488047a619e07be72f7b1726996afc7a490846a692f0e53296003d96774280972d20db77952e1d7b61ca716699c5ca6d5093f79a463cb500f3e\\" } ], \\"licenses\\": [ @@ -4656,7 +4651,6 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js " - 2020-01-01T01:00:00.000Z CycloneDX @@ -4721,8 +4715,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 1.0.2 - de849e50ed13315ebb84dd4099b5ec2b8c9aa94eed8e21e56f144364ea47d0a5bdf82797e1b440697d009f1b74b71d8cae94695b041a3f02252121098585393f e83e3a7e3f300b34cb9d87f615fa0cbf357690ee + de849e50ed13315ebb84dd4099b5ec2b8c9aa94eed8e21e56f144364ea47d0a5bdf82797e1b440697d009f1b74b71d8cae94695b041a3f02252121098585393f @@ -4748,8 +4742,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 1.1.11 - 882b8f1c3160ac75fb1f6bc423fe71a73d3bcd21c1d344e9ba0aa1998b5598c3bae75f260ae44ca0e60595d101974835f3bb9fa3375a1e058a71815beb5a8688 3c7fcbf529d87226f3d2f52b966ff5271eb441dd + 882b8f1c3160ac75fb1f6bc423fe71a73d3bcd21c1d344e9ba0aa1998b5598c3bae75f260ae44ca0e60595d101974835f3bb9fa3375a1e058a71815beb5a8688 @@ -4827,8 +4821,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 1.0.4 - ad748fd1b7fee67d10a27b1bf925557cd7c8b2298ee0712d9a72293c763c435502cca950ac331f7686ebf2724e3ac460582c8c46a792050ce659432aef3bd58a 751235260469084c132157dfa857f386d4c33d81 + ad748fd1b7fee67d10a27b1bf925557cd7c8b2298ee0712d9a72293c763c435502cca950ac331f7686ebf2724e3ac460582c8c46a792050ce659432aef3bd58a @@ -4854,8 +4848,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 3.5.2 - d1bb6723f1fc7f6a5abc630df30e349a548a39f4cad925499817c1795223de4370d2cc30833c91ab47794c954ec287459adbe93de58f37f30271fb961741336f b4eee8148abb01dcf1d1ac34367d59e12fa61d6e + d1bb6723f1fc7f6a5abc630df30e349a548a39f4cad925499817c1795223de4370d2cc30833c91ab47794c954ec287459adbe93de58f37f30271fb961741336f @@ -4907,8 +4901,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 1.1.1 - c88a2f033317e3db05f18979f1f482589e6cbd22ee6a26cfc5740914b98139b4ee0abd0c7f52a23e8a4633d3621638980426df69ad8587a6eb790e803554c8d0 a56899d3ea3c9bab874bb9773b7c5ede92f4895d + c88a2f033317e3db05f18979f1f482589e6cbd22ee6a26cfc5740914b98139b4ee0abd0c7f52a23e8a4633d3621638980426df69ad8587a6eb790e803554c8d0 @@ -4934,8 +4928,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 7.2.0 - 9662dfea0b72acfabcb538d29ab3bde3005e41b151dc76cb1dbbb20faf70bb2424226a76856a8c181e3b397eb914190f7df3bae3520ff6359ad73e22bea1b6e9 d15535af7732e02e948f4c41628bd910293f6023 + 9662dfea0b72acfabcb538d29ab3bde3005e41b151dc76cb1dbbb20faf70bb2424226a76856a8c181e3b397eb914190f7df3bae3520ff6359ad73e22bea1b6e9 @@ -4960,8 +4954,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 4.2.10 - f41ca1b2c4767cf56c3598f8efca9451b29f98bd3eb790435728d286dc9964b88aed90c002b1457e8a723938f4334e70136b493e2b00e224e79d79766283ef38 147d3a006da4ca3ce14728c7aefc287c367d7a6c + f41ca1b2c4767cf56c3598f8efca9451b29f98bd3eb790435728d286dc9964b88aed90c002b1457e8a723938f4334e70136b493e2b00e224e79d79766283ef38 @@ -4987,8 +4981,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 1.0.3 - 7f676f3b4554e8e7a3ed1916246ade8636f33008c5a79fd528fa79b53a56215e091c764ad7f0716c546d7ffb220364964ded3d71a0e656d618cd61086c14b8cf 722d7cbfc1f6aa8241f16dd814e011e1f41e8796 + 7f676f3b4554e8e7a3ed1916246ade8636f33008c5a79fd528fa79b53a56215e091c764ad7f0716c546d7ffb220364964ded3d71a0e656d618cd61086c14b8cf @@ -5014,8 +5008,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 2.8.9 - 9b120301bf4bb26e83a0e27bc47fb9f97e32d4b53fe078b9d0bf42e6c22cc0adc9cd42d2e1bc24d45be374182f611e1bcd3e2db944220b5e451367f91db2ef63 dffc0bf9a21c02209090f2aa69429e1414daf3f9 + 9b120301bf4bb26e83a0e27bc47fb9f97e32d4b53fe078b9d0bf42e6c22cc0adc9cd42d2e1bc24d45be374182f611e1bcd3e2db944220b5e451367f91db2ef63 @@ -5066,8 +5060,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 2.0.4 - 93fbc6697e3f6256b75b3c8c0af4d039761e207bea38ab67a8176ecd31e9ce9419cc0b2428c859d8af849c189233dcc64a820578ca572b16b8758799210a9ec1 0fa2c64f932917c3433a0ded55363aae37416b7c + 93fbc6697e3f6256b75b3c8c0af4d039761e207bea38ab67a8176ecd31e9ce9419cc0b2428c859d8af849c189233dcc64a820578ca572b16b8758799210a9ec1 @@ -5093,8 +5087,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 2.8.1 - 49d34252cdbce21af8d2115314fea5d087d9fd14ab317177aa0a111dddffefdba7513beb14efc9a17c241a6fb927f39edc4fdbe46b271b7df4b94360469bb53c f59fdfca701d5879d0a6b100a40aa1560ce27211 + 49d34252cdbce21af8d2115314fea5d087d9fd14ab317177aa0a111dddffefdba7513beb14efc9a17c241a6fb927f39edc4fdbe46b271b7df4b94360469bb53c @@ -5120,8 +5114,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 2.3.1 - c72170ca1ae8fc91287fa1a17b68b3d8d717a23dac96836c5abfd7b044432bfa223c27da36197938d7e9fa341d01945043420958dcc7f7321917b962f75921db 7c47805a94319928e05777405dc12e1f7a4ee02d + c72170ca1ae8fc91287fa1a17b68b3d8d717a23dac96836c5abfd7b044432bfa223c27da36197938d7e9fa341d01945043420958dcc7f7321917b962f75921db @@ -5147,8 +5141,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 3.1.2 - 27ba7ade1462023c35343130c355bb8b7efe07222b3963b95d0400cd9dd539c2f43cdc9bc297e657f374e73140cf043d512c84717eaddd43be2b96aa0503881f 19cd194bfd3e428f049a70817c038d89ab4be35b + 27ba7ade1462023c35343130c355bb8b7efe07222b3963b95d0400cd9dd539c2f43cdc9bc297e657f374e73140cf043d512c84717eaddd43be2b96aa0503881f @@ -5174,8 +5168,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 2.5.0 - ff908c3774f44785d38f80dc19a7b1a3eae8652752156ff400e39344eae3c73086d70ad65c4b066d129ebe39482fe643138b19949af9103e185b4caa9a42be78 e66db1838b200c1dfc233225d12cb36520e234a8 + ff908c3774f44785d38f80dc19a7b1a3eae8652752156ff400e39344eae3c73086d70ad65c4b066d129ebe39482fe643138b19949af9103e185b4caa9a42be78 @@ -5201,8 +5195,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 1.0.1 - 10f7da7e5e892f9feb53ea2de8fde04520a93c35b95662335fde7d39bd7ec92154bae6075877a45e9c1d51970a3f90be0d2e0612d74996ec018e7b0d0e5f9f48 6e79a41f23fd235c0623218228da7d9c23b8f6e2 + 10f7da7e5e892f9feb53ea2de8fde04520a93c35b95662335fde7d39bd7ec92154bae6075877a45e9c1d51970a3f90be0d2e0612d74996ec018e7b0d0e5f9f48 @@ -5254,8 +5248,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 0.0.1 - 863333aba5ee03130c895e7950e2217fa6f25ca47d15cd38eb26eba060a98c6b49e4423d4091bd83f12b6283edd11194680af9d42eb1fa9c141bda5780b9daaa ebd97e50cb812a1903b42c7950d9728acbf8d104 + 863333aba5ee03130c895e7950e2217fa6f25ca47d15cd38eb26eba060a98c6b49e4423d4091bd83f12b6283edd11194680af9d42eb1fa9c141bda5780b9daaa @@ -5333,8 +5327,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 1.0.7 - 2c32733d510410f47ecb8f33f7703411dd325dbf29001c865a8fe4e5861d620a58dbfd84b0eb24b09aeaee5387c6bcab54e9f57a31baa00a7c6a1bce2100fcb3 fbc114b60ca42b30d9daf5858e4bd68bbedb6735 + 2c32733d510410f47ecb8f33f7703411dd325dbf29001c865a8fe4e5861d620a58dbfd84b0eb24b09aeaee5387c6bcab54e9f57a31baa00a7c6a1bce2100fcb3 @@ -5412,8 +5406,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 2.1.2 - 0f52a6b8b42be994894b4b56f217f7586a51970b3324e5d9dc4f1877f0cd45a33977ed7055165d1e5a4604b02ea2f8ebdbc2db5af8e95a4047331a511868f334 6992b2b66c7177259feb8eaac73c3acd28b9222a + 0f52a6b8b42be994894b4b56f217f7586a51970b3324e5d9dc4f1877f0cd45a33977ed7055165d1e5a4604b02ea2f8ebdbc2db5af8e95a4047331a511868f334 @@ -5439,8 +5433,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 1.1.0 - 6ac6a29037aa01083b2627d1b199f5349657a3d13e57097209f6e4661c322128a7aa4e73352eb6eba1d2e646a1e8fd1269028617a4a43676551d4cc7158c580f 8d45407b4f870a0dcaebc0e28670d18e74514309 + 6ac6a29037aa01083b2627d1b199f5349657a3d13e57097209f6e4661c322128a7aa4e73352eb6eba1d2e646a1e8fd1269028617a4a43676551d4cc7158c580f @@ -5466,8 +5460,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 1.22.0 - 1e1b6bc349cb792ac543ba613e9e0e39c5632cf21e327465af999c9d5b8c7bb33fede067f7c0378661512e8168dc32d9922bd26308515094f23f2580939e962f 5e0b8c67c15df57a89bdbabe603a002f21731198 + 1e1b6bc349cb792ac543ba613e9e0e39c5632cf21e327465af999c9d5b8c7bb33fede067f7c0378661512e8168dc32d9922bd26308515094f23f2580939e962f @@ -5492,8 +5486,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 5.7.1 - b1ab9a0dffcf65d560acb4cd60746da576b589188a71a79b88a435049769425587da50af7b141d5f9e6c9cf1722bb433a6e76a6c2234a9715f39ab0777234319 a954f931aeba508d307bbf069eff0c01c96116f7 + b1ab9a0dffcf65d560acb4cd60746da576b589188a71a79b88a435049769425587da50af7b141d5f9e6c9cf1722bb433a6e76a6c2234a9715f39ab0777234319 @@ -5545,8 +5539,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 3.1.1 - 70e61c516c210ae1c25e2e3d4611510b22442b788f8f5662cfd0e9562577b5b64ec170f8f50cc837732938b24dc61daac2ada524965a28c570f6a362e234c2d3 dece81ac9c1e6713e5f7d1b6f17d468fa53d89a9 + 70e61c516c210ae1c25e2e3d4611510b22442b788f8f5662cfd0e9562577b5b64ec170f8f50cc837732938b24dc61daac2ada524965a28c570f6a362e234c2d3 @@ -5572,8 +5566,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 2.3.0 - fed4eb60e0bb3cf2359d4020c77e21529a97bb2246f834c72539c850b1b8ac3ca08b8c6efed7e09aad5ed5c211c11cf0660a3834bc928beae270b919930e22e4 3f28ce1a77a00372683eade4a433183527a2163d + fed4eb60e0bb3cf2359d4020c77e21529a97bb2246f834c72539c850b1b8ac3ca08b8c6efed7e09aad5ed5c211c11cf0660a3834bc928beae270b919930e22e4 @@ -5599,8 +5593,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 3.0.1 - 71ba87ba7b105a724d13a2a155232c31e1f91ff2fd129ca66f3a93437b8bc0d08b675438f35a166a87ea1fb9cee95d3bc655f063a3e141d43621e756c7f64ae1 cf70f50482eefdc98e3ce0a6833e4a53ceeba679 + 71ba87ba7b105a724d13a2a155232c31e1f91ff2fd129ca66f3a93437b8bc0d08b675438f35a166a87ea1fb9cee95d3bc655f063a3e141d43621e756c7f64ae1 @@ -5626,8 +5620,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 3.0.11 - 0ad97606b1623345f7300358823dc29328318519abf668bac617a36dd3bdeb49c5e840c90294d8a67d014270ca96734150b2a208dd67df0f440641caf195a0fa 50c0d8c40a14ec1bf449bae69a0ea4685a9d9f95 + 0ad97606b1623345f7300358823dc29328318519abf668bac617a36dd3bdeb49c5e840c90294d8a67d014270ca96734150b2a208dd67df0f440641caf195a0fa @@ -5653,8 +5647,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 6.0.2 - 71ea5b4aafe77852bbc41e80e74287374c470e8b58ceae7cc1609ae4b796aa73eb1c6f06cdf1233bfe0ef24a667065bea1ac64be110909681b80d938fd957ddd 157939134f20464e7301ddba3e90ffa8f7728ac5 + 71ea5b4aafe77852bbc41e80e74287374c470e8b58ceae7cc1609ae4b796aa73eb1c6f06cdf1233bfe0ef24a667065bea1ac64be110909681b80d938fd957ddd @@ -5680,8 +5674,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 1.0.0 - a2dd169d74bd7e076480871e3dee911cd935580f3e9ae3dae9c4a3791dd5f0adbbabd041d6b4c4dd1d69ec7bf4cf567201cf2ce95beff0323259febcd4c02dd3 6eda4bd344a3c94aea376d4cc31bc77311039e09 + a2dd169d74bd7e076480871e3dee911cd935580f3e9ae3dae9c4a3791dd5f0adbbabd041d6b4c4dd1d69ec7bf4cf567201cf2ce95beff0323259febcd4c02dd3 @@ -5707,8 +5701,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 1.19.11 - 1d78050e00e89a6c67e7f6c8bf4727419b0f8470c0f7434f1c3ebe73fbf6d54e7e4b1e61a0ff3e74ff48657054d6021fbdd45f846f1c7a5f5034f7a2a277dc09 204b0d6b605ae80bea54bea39280cdb7c9f923cc + 1d78050e00e89a6c67e7f6c8bf4727419b0f8470c0f7434f1c3ebe73fbf6d54e7e4b1e61a0ff3e74ff48657054d6021fbdd45f846f1c7a5f5034f7a2a277dc09 @@ -5758,8 +5752,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 3.4.0 - 1e3483470ea0644e4932081cb4705c8d56a4d3cf8a1158522220f31674fd4bd69e826a7ce52fdb45e0554dbe104c5691369b49f64b9868d8676cd10e91b29bfc b23e4358afa8a202fe7a100af1f5f883f02007ee + 1e3483470ea0644e4932081cb4705c8d56a4d3cf8a1158522220f31674fd4bd69e826a7ce52fdb45e0554dbe104c5691369b49f64b9868d8676cd10e91b29bfc @@ -5785,8 +5779,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 3.0.4 - 0e92a6d948bfc4deff1d0282b69671a11581859f59d24aadca01bc5c280d43c6650e7c6e4265a18f9eba8fc7cde02bb7fc999b86c0e8edf70026ae2cf61dbb13 fc91f6b9c7ba15c857f4cb2c5defeec39d4f410a + 0e92a6d948bfc4deff1d0282b69671a11581859f59d24aadca01bc5c280d43c6650e7c6e4265a18f9eba8fc7cde02bb7fc999b86c0e8edf70026ae2cf61dbb13 @@ -5838,8 +5832,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 13.0.2 - 12ec748b641d0d829b75b03a00ceb11389ba65366be06e3117d91a848dae91210c0b3c1c7b6797f56953239277b3e354ee1a5ab05b2bf2158838d69eecb96e01 02ae33614b6a047d1c32b5389c1fdacb2bce47a7 + 12ec748b641d0d829b75b03a00ceb11389ba65366be06e3117d91a848dae91210c0b3c1c7b6797f56953239277b3e354ee1a5ab05b2bf2158838d69eecb96e01 @@ -5865,8 +5859,8 @@ exports[`integration: produce a BOM verify conversion of yarn.lock to package.js 0.2.1 - 9175e262f99b9488047a619e07be72f7b1726996afc7a490846a692f0e53296003d96774280972d20db77952e1d7b61ca716699c5ca6d5093f79a463cb500f3e cac9465066f161e1c3302793ea4dbe59c518274f + 9175e262f99b9488047a619e07be72f7b1726996afc7a490846a692f0e53296003d96774280972d20db77952e1d7b61ca716699c5ca6d5093f79a463cb500f3e @@ -5896,7 +5890,6 @@ exports[`integration: produce a BOM when all dependencies are dev-dependencies t \\"specVersion\\": \\"1.3\\", \\"version\\": 1, \\"metadata\\": { - \\"timestamp\\": \\"2020-01-01T01:00:00.000Z\\", \\"tools\\": [ { \\"vendor\\": \\"CycloneDX\\", @@ -5994,7 +5987,6 @@ exports[`integration: produce a BOM when all dependencies are dev-dependencies t " - 2020-01-01T01:00:00.000Z CycloneDX @@ -6072,7 +6064,6 @@ exports[`integration: produce a BOM when all dependencies are dev-dependencies t \\"specVersion\\": \\"1.3\\", \\"version\\": 1, \\"metadata\\": { - \\"timestamp\\": \\"2020-01-01T01:00:00.000Z\\", \\"tools\\": [ { \\"vendor\\": \\"CycloneDX\\", @@ -6097,7 +6088,6 @@ exports[`integration: produce a BOM when all dependencies are dev-dependencies t " - 2020-01-01T01:00:00.000Z CycloneDX @@ -6122,7 +6112,6 @@ exports[`integration: produce a BOM when no package-lock.json is present as JSON \\"specVersion\\": \\"1.3\\", \\"version\\": 1, \\"metadata\\": { - \\"timestamp\\": \\"2020-01-01T01:00:00.000Z\\", \\"tools\\": [ { \\"vendor\\": \\"CycloneDX\\", @@ -6170,7 +6159,6 @@ exports[`integration: produce a BOM when no package-lock.json is present as XML " - 2020-01-01T01:00:00.000Z CycloneDX @@ -6213,7 +6201,6 @@ exports[`integration: produce a BOM when there is no name in the root package as \\"specVersion\\": \\"1.3\\", \\"version\\": 1, \\"metadata\\": { - \\"timestamp\\": \\"2020-01-01T01:00:00.000Z\\", \\"tools\\": [ { \\"vendor\\": \\"CycloneDX\\", @@ -6309,7 +6296,6 @@ exports[`integration: produce a BOM when there is no name in the root package as " - 2020-01-01T01:00:00.000Z CycloneDX @@ -6386,7 +6372,6 @@ exports[`integration: produce a BOM with development dependencies as JSON 1`] = \\"specVersion\\": \\"1.3\\", \\"version\\": 1, \\"metadata\\": { - \\"timestamp\\": \\"2020-01-01T01:00:00.000Z\\", \\"tools\\": [ { \\"vendor\\": \\"CycloneDX\\", @@ -8049,7 +8034,6 @@ exports[`integration: produce a BOM with development dependencies as XML 1`] = ` " - 2020-01-01T01:00:00.000Z CycloneDX @@ -9257,7 +9241,6 @@ exports[`integration: produce a BOM without development dependencies as JSON 1`] \\"specVersion\\": \\"1.3\\", \\"version\\": 1, \\"metadata\\": { - \\"timestamp\\": \\"2020-01-01T01:00:00.000Z\\", \\"tools\\": [ { \\"vendor\\": \\"CycloneDX\\", @@ -10884,7 +10867,6 @@ exports[`integration: produce a BOM without development dependencies as XML 1`] " - 2020-01-01T01:00:00.000Z CycloneDX diff --git a/tests/integration/index.test.js b/tests/integration/index.test.js index d2735feb..be0812be 100644 --- a/tests/integration/index.test.js +++ b/tests/integration/index.test.js @@ -24,11 +24,9 @@ const path = require('path') const bomHelpers = require('../../index.js') const Bom = require('../../model/Bom.js') -const timestamp = new Date('2020-01-01T01:00:00.000Z') const programVersion = '3.0.0' describe('integration:', () => { - const strCompare = (new Intl.Collator()).compare describe.each( [ { @@ -87,12 +85,8 @@ describe('integration:', () => { expect(err).toBeNull() expect(bom).toBeInstanceOf(Bom) - bom.metadata.timestamp = timestamp bom.metadata.tools[0].version = programVersion - if (bom.components) { - // sort components to have consistency in results - bom.components.sort((a, b) => strCompare(`${a.purl}`, `${b.purl}`)) - } + process.env.BOM_REPRODUCIBLE = '1' const result = bom[`to${target}`]() expect(result).toMatchSnapshot() diff --git a/tests/model/Component.test.js b/tests/model/Component.test.js index eb4e8e83..9bd96e5d 100644 --- a/tests/model/Component.test.js +++ b/tests/model/Component.test.js @@ -85,7 +85,7 @@ test('Model: Component / Format: JSON', () => { describe('Model: Component', () => { describe.each([ { - purpose: 'constructed wit author', + purpose: 'constructed with author', // issue: https://github.com/CycloneDX/cyclonedx-node-module/issues/246 pkg: { name: 'test', author: { name: 'Foo Bar' } }, property: 'author', @@ -118,6 +118,63 @@ describe('Model: Component set empty version results in undefined', () => { expect(component.version).toBeUndefined() }) +describe('Model: Component compare', () => { + it.each( + [ + { + purpose: 'same', + a: new Component({ name: '@foo/bar', version: '1' }), + b: new Component({ name: '@foo/bar', version: '1' }), + expected: 0 + }, + { + purpose: 'group a/b', + a: new Component({ name: '@a/bar', version: '1' }), + b: new Component({ name: '@b/bar', version: '1' }), + expected: -1 + }, + { + purpose: 'group b/a', + a: new Component({ name: '@b/bar', version: '1' }), + b: new Component({ name: '@a/bar', version: '1' }), + expected: +1 + }, + { + purpose: 'group a/b', + a: new Component({ name: '@a/bar', version: '1' }), + b: new Component({ name: '@b/bar', version: '1' }), + expected: -1 + }, + { + purpose: 'name a/b', + a: new Component({ name: '@foo/a', version: '1' }), + b: new Component({ name: '@foo/b', version: '1' }), + expected: -1 + }, + { + purpose: 'name b/a', + a: new Component({ name: '@foo/b', version: '1' }), + b: new Component({ name: '@foo/a', version: '1' }), + expected: +1 + }, + { + purpose: 'version 1/2', + a: new Component({ name: '@foo/bar', version: '1' }), + b: new Component({ name: '@foo/bar', version: '2' }), + expected: -1 + }, + { + purpose: 'version 2/1', + a: new Component({ name: '@foo/bar', version: '2' }), + b: new Component({ name: '@foo/bar', version: '1' }), + expected: +1 + } + ] + )('$purpose', ({ a, b, expected }) => { + expect(a.compare(b)).toBe(expected) + }) +}) + function testPropertyAndNormalization ({ component, propertyName, expectedProperty, expectedNormalized }) { test('detects expected', () => { expect(component[propertyName]).toEqual(expectedProperty)