From caaea9fa1272c032ce27df658ad5da009f76f0cf Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 26 May 2025 12:33:51 +0200 Subject: [PATCH 1/8] chore: publish_vex_vdr Signed-off-by: Jan Kowalleck --- security.cdx.json | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 security.cdx.json diff --git a/security.cdx.json b/security.cdx.json new file mode 100644 index 000000000..4409ac316 --- /dev/null +++ b/security.cdx.json @@ -0,0 +1,32 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "serialNumber": "urn:uuid:472bda2e-8d12-4ee5-af87-29b0bf1b348e", + "version": 1, + "metadata": { + "component": { + "bom-ref": "@cyclonedx/cyclonedx-library", + "type": "library", + "group": "cyclonedx", + "name": "cyclonedx-library", + "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).", + "externalReferences": [ + { + "type": "vcs", + "url": "https://github.com/CycloneDX/cyclonedx-javascript-library" + }, + { + "type": "issue-tracker", + "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues" + } + ] + }, + "authors": [ + { + "name": "Jan Kowalleck", + "email": "jan.kowalleck@owasp.org" + } + ] + } +} From 329028f9d3262809f1dcda3e1dfad88da8658e6d Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 26 May 2025 15:38:07 +0200 Subject: [PATCH 2/8] validate Signed-off-by: Jan Kowalleck --- .github/workflows/nodejs.yml | 29 ++++++++++++ security.cdx.json => SECURITY.cdx.json | 0 tools/cdx-json-schema-validator/.gitignore | 6 +++ tools/cdx-json-schema-validator/.npmrc | 5 +++ .../eslint.config.mjs | 37 +++++++++++++++ tools/cdx-json-schema-validator/package.json | 17 +++++++ tools/cdx-json-schema-validator/validate.js | 45 +++++++++++++++++++ 7 files changed, 139 insertions(+) rename security.cdx.json => SECURITY.cdx.json (100%) create mode 100644 tools/cdx-json-schema-validator/.gitignore create mode 100644 tools/cdx-json-schema-validator/.npmrc create mode 100644 tools/cdx-json-schema-validator/eslint.config.mjs create mode 100644 tools/cdx-json-schema-validator/package.json create mode 100644 tools/cdx-json-schema-validator/validate.js diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml index bc357156b..732d57074 100644 --- a/.github/workflows/nodejs.yml +++ b/.github/workflows/nodejs.yml @@ -455,6 +455,7 @@ jobs: run: npm run build working-directory: ${{ env.EXAMPLE_DIR }} + api-doc: name: api-doc ${{ matrix.target }} runs-on: "ubuntu-latest" @@ -487,3 +488,31 @@ jobs: echo "::endgroup::" - name: api-doc ${{ matrix.target }} run: npm run api-doc:${{ matrix.target }} + + + validate-VEX-VDR: + needs: [ 'build' ] + name: validate VEX/VDR + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout + # see https://github.com/actions/checkout + uses: actions/checkout@v4 + - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }} + # see https://github.com/actions/setup-node + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_ACTIVE_LTS }} + - name: fetch build artifact 'node' + # see https://github.com/actions/download-artifact + uses: actions/download-artifact@v4 + with: + name: dist.node + path: dist.node + - name: setup library + run: npm i --ignore-scripts --omit=dev --include=optional --loglevel=silly + working-directory: tools/cdx-json-schema-validator + - name: validate + run: node tools/cdx-json-schema-validator/validate.js SECURITY.cdx.json + diff --git a/security.cdx.json b/SECURITY.cdx.json similarity index 100% rename from security.cdx.json rename to SECURITY.cdx.json diff --git a/tools/cdx-json-schema-validator/.gitignore b/tools/cdx-json-schema-validator/.gitignore new file mode 100644 index 000000000..f2279a53d --- /dev/null +++ b/tools/cdx-json-schema-validator/.gitignore @@ -0,0 +1,6 @@ +* +!/.gitignore +!/package.json +!/validate.js +!/.npmrc +!/eslint.config.mjs diff --git a/tools/cdx-json-schema-validator/.npmrc b/tools/cdx-json-schema-validator/.npmrc new file mode 100644 index 000000000..147970caf --- /dev/null +++ b/tools/cdx-json-schema-validator/.npmrc @@ -0,0 +1,5 @@ +; see the docs: https://docs.npmjs.com/cli/v9/using-npm/config + +package-lock=false +engine-strict=true +omit=peer # don't install them automatically; we take cate of them! diff --git a/tools/cdx-json-schema-validator/eslint.config.mjs b/tools/cdx-json-schema-validator/eslint.config.mjs new file mode 100644 index 000000000..6483e71a7 --- /dev/null +++ b/tools/cdx-json-schema-validator/eslint.config.mjs @@ -0,0 +1,37 @@ +/*! +This file is part of CycloneDX JavaScript Library. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +SPDX-License-Identifier: Apache-2.0 +Copyright (c) OWASP Foundation. All Rights Reserved. +*/ + +import baseCfg, { globals } from '../code-style/eslint.config.mjs' + +/* eslint-disable jsdoc/valid-types */ + +/** + * @type {import('@types/eslint').Linter.FlatConfig[]} + * @see {@link https://eslint.org/} + */ +export default [ + ...baseCfg, + { + files: ['**/*.js'], + languageOptions: { + sourceType: 'module', + globals: globals.node, + } + }, +] diff --git a/tools/cdx-json-schema-validator/package.json b/tools/cdx-json-schema-validator/package.json new file mode 100644 index 000000000..77fc7ed1e --- /dev/null +++ b/tools/cdx-json-schema-validator/package.json @@ -0,0 +1,17 @@ +{ + "private": true, + "name": "@cyclonedx/cyclonedx-javascript-library/tools/cdx-json-schema-validator", + "license": "Apache-2.0", + "type": "module", + "main": "validate.js", + "dependencies": { + "@cyclonedx/cyclonedx-library": "file:../.." + }, + "scripts": { + "download": "node download.js", + "cs-fix": "npm --prefix ../code-style exec -- eslint --fix ." + }, + "engines": { + "node": ">=20.18" + } +} diff --git a/tools/cdx-json-schema-validator/validate.js b/tools/cdx-json-schema-validator/validate.js new file mode 100644 index 000000000..25f7ae8b9 --- /dev/null +++ b/tools/cdx-json-schema-validator/validate.js @@ -0,0 +1,45 @@ +/*! +This file is part of CycloneDX JavaScript Library. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +SPDX-License-Identifier: Apache-2.0 +Copyright (c) OWASP Foundation. All Rights Reserved. +*/ + +import CDX from "@cyclonedx/cyclonedx-library" +import {readFile} from 'node:fs/promises'; + +const args = process.argv.slice(2); +if (args.length !== 1) { + console.error("missing args"); + process.exit(1); +} +const [filePath] = args +console.debug('filePath', filePath) + +const json = await readFile(filePath, 'utf8') +const data = JSON.parse(json); + +const CDX_JSON_SCHEMA_RE = /^http:\/\/cyclonedx\.org\/schema\/bom\-(\d+\.\d+)\.schema\.json$/ +const specVersion = data['$schema'].match(CDX_JSON_SCHEMA_RE)[1] +const validator = new CDX.Validation.JsonStrictValidator(specVersion) + +const validationError = await validator.validate(json) +if (validationError !== null) { + console.error('validation error', validationError) + process.exit(2); +} + +console.info('valid') +process.exit(0) From dcb2833e4dbc31cf8c9b0c65e3168458e7829ef6 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 26 May 2025 15:43:02 +0200 Subject: [PATCH 3/8] validate Signed-off-by: Jan Kowalleck --- tools/cdx-json-schema-validator/package.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/cdx-json-schema-validator/package.json b/tools/cdx-json-schema-validator/package.json index 77fc7ed1e..d037673c7 100644 --- a/tools/cdx-json-schema-validator/package.json +++ b/tools/cdx-json-schema-validator/package.json @@ -5,7 +5,10 @@ "type": "module", "main": "validate.js", "dependencies": { - "@cyclonedx/cyclonedx-library": "file:../.." + "@cyclonedx/cyclonedx-library": "file:../..", + "ajv": "^8.12.0", + "ajv-formats": "^3.0.1", + "ajv-formats-draft2019": "^1.6.1" }, "scripts": { "download": "node download.js", From 1f591a9d16c232a7fe3a3946bc68d431069af815 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 26 May 2025 15:44:21 +0200 Subject: [PATCH 4/8] validate Signed-off-by: Jan Kowalleck --- tools/cdx-json-schema-validator/package.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tools/cdx-json-schema-validator/package.json b/tools/cdx-json-schema-validator/package.json index d037673c7..77fc7ed1e 100644 --- a/tools/cdx-json-schema-validator/package.json +++ b/tools/cdx-json-schema-validator/package.json @@ -5,10 +5,7 @@ "type": "module", "main": "validate.js", "dependencies": { - "@cyclonedx/cyclonedx-library": "file:../..", - "ajv": "^8.12.0", - "ajv-formats": "^3.0.1", - "ajv-formats-draft2019": "^1.6.1" + "@cyclonedx/cyclonedx-library": "file:../.." }, "scripts": { "download": "node download.js", From 170fd00a06c01dd2978e7707c498f6ca52bf7854 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 26 May 2025 15:46:53 +0200 Subject: [PATCH 5/8] validate Signed-off-by: Jan Kowalleck --- .github/workflows/nodejs.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml index 732d57074..0a539e0ca 100644 --- a/.github/workflows/nodejs.yml +++ b/.github/workflows/nodejs.yml @@ -512,6 +512,8 @@ jobs: path: dist.node - name: setup library run: npm i --ignore-scripts --omit=dev --include=optional --loglevel=silly + - name: setup tool + run: npm i --ignore-scripts --omit=dev --include=optional --loglevel=silly working-directory: tools/cdx-json-schema-validator - name: validate run: node tools/cdx-json-schema-validator/validate.js SECURITY.cdx.json From e8d5819188a97308cae8504b4f4dd4bb1e2db272 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 26 May 2025 15:55:24 +0200 Subject: [PATCH 6/8] validate Signed-off-by: Jan Kowalleck --- tools/cdx-json-schema-validator/validate.js | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/tools/cdx-json-schema-validator/validate.js b/tools/cdx-json-schema-validator/validate.js index 25f7ae8b9..b8e42c328 100644 --- a/tools/cdx-json-schema-validator/validate.js +++ b/tools/cdx-json-schema-validator/validate.js @@ -17,28 +17,29 @@ SPDX-License-Identifier: Apache-2.0 Copyright (c) OWASP Foundation. All Rights Reserved. */ -import CDX from "@cyclonedx/cyclonedx-library" -import {readFile} from 'node:fs/promises'; +import { readFile } from 'node:fs/promises' -const args = process.argv.slice(2); +import CDX from '@cyclonedx/cyclonedx-library' + +const args = process.argv.slice(2) if (args.length !== 1) { - console.error("missing args"); - process.exit(1); + console.error('missing args') + process.exit(1) } const [filePath] = args console.debug('filePath', filePath) const json = await readFile(filePath, 'utf8') -const data = JSON.parse(json); +const data = JSON.parse(json) -const CDX_JSON_SCHEMA_RE = /^http:\/\/cyclonedx\.org\/schema\/bom\-(\d+\.\d+)\.schema\.json$/ +const CDX_JSON_SCHEMA_RE = /^http:\/\/cyclonedx\.org\/schema\/bom-(\d+\.\d+)\.schema\.json$/ const specVersion = data['$schema'].match(CDX_JSON_SCHEMA_RE)[1] const validator = new CDX.Validation.JsonStrictValidator(specVersion) const validationError = await validator.validate(json) if (validationError !== null) { console.error('validation error', validationError) - process.exit(2); + process.exit(2) } console.info('valid') From fab8c3da10706eeb3609b8ae0e912d0967376a47 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 26 May 2025 15:55:53 +0200 Subject: [PATCH 7/8] validate Signed-off-by: Jan Kowalleck --- tools/cdx-json-schema-validator/validate.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/cdx-json-schema-validator/validate.js b/tools/cdx-json-schema-validator/validate.js index b8e42c328..d50de8a34 100644 --- a/tools/cdx-json-schema-validator/validate.js +++ b/tools/cdx-json-schema-validator/validate.js @@ -22,7 +22,7 @@ import { readFile } from 'node:fs/promises' import CDX from '@cyclonedx/cyclonedx-library' const args = process.argv.slice(2) -if (args.length !== 1) { +if (args.length < 1) { console.error('missing args') process.exit(1) } From fca165444bf99fdea749fb22eea521e2db0ecd76 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 26 May 2025 15:56:23 +0200 Subject: [PATCH 8/8] validate Signed-off-by: Jan Kowalleck --- tools/cdx-json-schema-validator/validate.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/cdx-json-schema-validator/validate.js b/tools/cdx-json-schema-validator/validate.js index d50de8a34..ad32639cc 100644 --- a/tools/cdx-json-schema-validator/validate.js +++ b/tools/cdx-json-schema-validator/validate.js @@ -26,7 +26,7 @@ if (args.length < 1) { console.error('missing args') process.exit(1) } -const [filePath] = args +const [filePath,] = args console.debug('filePath', filePath) const json = await readFile(filePath, 'utf8')