initial implementation

 ## Responsibilities

* Provide a general purpose _JavaScript_-implementation of [_CycloneDX_][CycloneDX] for _Node.js_ and _WebBrowsers_.
* Provide typing for said implementation, so developers and dev-tools can rely on it.
* Provide data models to work with _CycloneDX_.
* Provide a JSON- and an XML-normalizer, that...
  * supports all shipped data models.
  * respects any injected [_CycloneDX_ Specification][CycloneDX-spec] and generates valid output according to it.
  * can be configured to generate reproducible/deterministic output.
  * can prepare data structures for JSON- and XML-serialization.
* Serialization:
  * Provide a universal JSON-serializer for all target environments.
  * Provide an XML-serializer for all target environments.
  * Support the downstream implementation of custom XML-serializers tailored to specific environments  
    by providing an abstract base class that takes care of normalization and BomRef-discrimination.  
    This is done, because there is no universal XML support in _JavaScript_.

 ## Capabilities

* Enums for the following use cases
  * `AttachmentEncoding`
  * `ComponentScope`
  * `ComponentType`
  * `ExternalReferenceType`
  * `HashAlgorithm`
* Data models for the following use cases
  * `Attachment`
  * `Bom`
  * `BomRef`, `BomRefRepository`
  * `Component`, `ComponentRepository`
  * `ExternalReference`, `ExternalReferenceRepository`
  * `HashContent`, `Hash`, `HashRepository`
  * `LicenseExpression`, `NamedLicense`, `SpdxLicense`, `LicenseRepository`
  * `Metadata`
  * `OrganizationalContact`, `OrganizationalContactRepository`
  * `OrganizationalEntity`
  * `SWID`
  * `Tool`, `ToolRepository`
* Factory, that can create data models from any license descriptor string
* Implementation of the [_CycloneDX_ Specification][CycloneDX-spec] for the following versions:
  * `1.4`
  * `1.3`
  * `1.2`
* Normalizers that convert data models to JSON structures
* Normalizers that convert data models to XML structures
* Universal serializer that converts `Bom` data models to JSON string
* Serializer that converts `Bom` data models to XML string:
  * Specific to _WebBrowsers_: implementation utilizes browser-specific document generators and printers.
  * Specific to _Node.js_: implementation plugs/requires/utilizes one of the following *optional* libraries
    * [xmlbuilder2](https://www.npmjs.com/package/xmlbuilder2)
    * ... to be continued ... (pull requests are welcome)

Author: jkowalleck

.editorconfig

@@ -0,0 +1,35 @@
+# EditorConfig is awesome: https://EditorConfig.org
+
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+
+[*.md]
+# trailing white spaces are used for linebreaks in paragraphs.
+trim_trailing_whitespace = false
+
+[*.{ts,js,cjs,mjs}]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.{json,cjson,cjsn}]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.html]
+charset = utf-8
+end_of_line = lf
+indent_style = space
+indent_size = 2
+trim_trailing_whitespace = true
+insert_final_newline = true

.eslintignore

@@ -0,0 +1,5 @@
+/dist/**
+/dist.*/**
+/node_modules/**
+
+!/src/**

.eslintrc.js

@@ -0,0 +1,36 @@
+'use strict'
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+/**
+ * @see {@link https://eslint.org/}
+ * @type {import('eslint').Linter.Config}
+ */
+module.exports = {
+  root: true,
+  // see https://github.com/standard/ts-standard
+  extends: 'standard-with-typescript',
+  parserOptions: {
+    project: './tsconfig.json'
+  },
+  env: {
+    node: true,
+    browser: true
+  }
+}

.gitattributes

@@ -0,0 +1,3 @@
+
+tsconfig.json       linguist-language=JSON-with-Comments
+tsconfig.*.json     linguist-language=JSON-with-Comments

.github/dependabot.yml

@@ -0,0 +1,15 @@
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: 'weekly'
+      day: 'saturday'
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: 'weekly'
+      day: 'saturday'

.github/workflows/nodejs.yml

@@ -0,0 +1,108 @@
+# docs: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
+
+name: Node CI
+
+on: 
+  push:
+    branches: [ master ]
+  pull_request:
+  workflow_dispatch:
+
+
+env:
+  NODE_ACTIVE_LTS: "16" # see https://nodejs.org/en/about/releases/
+
+jobs:
+  build:
+    name: build ${{ matrix.target }}
+    runs-on: "ubuntu-latest"
+    timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - node
+          - web
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v3
+      - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ env.NODE_ACTIVE_LTS }}
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
+      - name: setup project
+        run: npm ci --ignore-scripts
+      - name: build for ${{ matrix.target }}
+        run: npm run build:${{ matrix.target }}
+      - name: artifact build result
+        # see https://github.com/actions/upload-artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: dist.${{ matrix.target }}
+          path: dist.${{ matrix.target }}
+          if-no-files-found: error
+  test-standard:
+    name: test standard
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v3
+      - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ env.NODE_ACTIVE_LTS }}
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
+      - name: setup project
+        run: npm ci --ignore-scripts
+      - name: test
+        run: npm run test:standard
+  test-node:
+    needs: [ 'build' ]
+    name: test node (${{ matrix.node-version }}, ${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version:
+          # action based on https://github.com/actions/node-versions/releases
+          # see also: https://nodejs.org/en/about/releases/
+          - "18"      # current
+          - "16"      # active LTS
+          - "14"
+          - "14.0.0"  # lowest supported
+        os: 
+          - ubuntu-latest
+          - macos-latest
+          - windows-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v3
+      - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: "npm"
+          cache-dependency-path: "**/package-lock.json"
+      - name: setup project
+        run: npm ci --ignore-scripts
+      - name: fetch build artifact
+        # see https://github.com/actions/download-artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: dist.node
+          path: dist.node
+      - name: test
+        run: npm run test:node
+  # test-web:
+    # TODO via https://github.com/CycloneDX/cyclonedx-javascript-library/issues/51

.github/workflows/release.yml

@@ -0,0 +1,104 @@
+# docs: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
+
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      newversion:
+        # is param from `npm version`. therefore the description should reference all the options from there
+        description: 'one of: [<newversion> | major | minor | patch | premajor | preminor | prepatch | prerelease | from-git]'
+        required: true
+      commitMessage:
+        description: 'Release/commit message (%s will be replaced with the resulting version number)'
+        default: '%s'
+        required: true
+
+env:
+  REPORTS_DIR: CI_reports
+  NODE_ACTIVE_LTS: "16"
+
+jobs:
+  bump:
+    name: bump and tag release
+    concurrency: release-bump
+    outputs:
+      version: ${{ steps.bump.outputs.version }}
+      version_plain: ${{ steps.bump.outputs.version_plain }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout code
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v3
+      - name: Configure Git
+        # needed for push back of changes
+        run: |
+          git config --local user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+          git config --local user.name "${GITHUB_ACTOR}"
+      - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ env.NODE_ACTIVE_LTS }}
+      ## ! no npm build at the moment
+      - name: bump VERSION
+        id: bump
+        run: |
+          VERSION="$(npm version "$NPMV_NEWVERSION" --message "$NPMV_MESSAGE")"
+          echo "::debug::new version = $VERSION"
+          VERSION_PLAIN="${VERSION:1}" # remove 'v' prefix
+          echo "::debug::plain version = $VERSION_PLAIN"
+          echo "::set-output name=version::$VERSION"
+          echo "::set-output name=version_plain::$VERSION_PLAIN"
+        env:
+          NPMV_NEWVERSION: ${{ github.event.inputs.newversion }}
+          NPMV_MESSAGE: ${{ github.event.inputs.commitMessage }}
+      - name: git push back
+        run: git push --follow-tags
+  publish-NPMJS:
+    needs:
+      - "bump"
+    name: NPMJS - publish
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Checkout code
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ needs.bump.outputs.version }}
+      - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ env.NODE_ACTIVE_LTS }}
+      - name: install build tools
+        run: npm ci --ignore-scripts
+      # no explicit npm build. if a build is required, it should be configured as prepublish/prepublishOnly script of npm.
+      - name: publish to NPMJS
+        run: |
+          npm config set "//registry.npmjs.org/:_authToken=$NPMJS_AUTH_TOKEN"
+          npm publish --access public
+        env:
+          NPMJS_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  release-GH:
+    needs:
+      - "bump"
+      - "publish-NPMJS"
+    name: GitHub - release
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    env:
+      ASSETS_DIR: release_assets
+    steps:
+      - name: Create Release
+        id: release
+        # see https://github.com/softprops/action-gh-release
+        uses: softprops/action-gh-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ needs.bump.outputs.version }}
+          name: ${{ needs.bump.outputs.version_plain }}
+          prerelease: ${{ startsWith(github.event.inputs.newversion, 'pre') }}