feat: basic support for Services (#1165)

fixes #1164

---------

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

HISTORY.md

@@ -6,6 +6,16 @@ All notable changes to this project will be documented in this file.
 
 <!-- add unreleased items here -->
 
+* Added
+  * Support for services ([#1164] via [#1165])
+  * New class `Models.Service` ([#1164] via [#1165])
+  * New class `Models.ServiceRepository` ([#1164] via [#1165])
+  * Class `Models.Bom` got new property `services` ([#1164] via [#1165])
+  * Serializers and `Bom`-Normalizers will take `Models.Bom.services` into account ([#1164] via [#1165])
+
+[#1164]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1164
+[#1165]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1165
+
 ## 6.11.1 -- 2024-10-24
 
 * Fixed

src/models/bom.ts

@@ -21,11 +21,13 @@ import type { PositiveInteger } from '../types/integer'
 import { isPositiveInteger } from '../types/integer'
 import { ComponentRepository } from './component'
 import { Metadata } from './metadata'
+import { ServiceRepository } from './service'
 import { VulnerabilityRepository } from './vulnerability/vulnerability'
 
 export interface OptionalBomProperties {
   metadata?: Bom['metadata']
   components?: Bom['components']
+  services?: Bom['services']
   version?: Bom['version']
   vulnerabilities?: Bom['vulnerabilities']
   serialNumber?: Bom['serialNumber']
@@ -34,6 +36,7 @@ export interface OptionalBomProperties {
 export class Bom {
   metadata: Metadata
   components: ComponentRepository
+  services: ServiceRepository
   vulnerabilities: VulnerabilityRepository
 
   /** @see {@link version} */
@@ -54,6 +57,7 @@ export class Bom {
   constructor (op: OptionalBomProperties = {}) {
     this.metadata = op.metadata ?? new Metadata()
     this.components = op.components ?? new ComponentRepository()
+    this.services= op.services?? new ServiceRepository()
     this.version = op.version ?? this.version
     this.vulnerabilities = op.vulnerabilities ?? new VulnerabilityRepository()
     this.serialNumber = op.serialNumber

src/models/component.ts

@@ -49,11 +49,12 @@ export interface OptionalComponentProperties {
   supplier?: Component['supplier']
   swid?: Component['swid']
   version?: Component['version']
-  dependencies?: Component['dependencies']
   components?: Component['components']
   cpe?: Component['cpe']
   properties?: Component['properties']
   evidence?: Component['evidence']
+
+  dependencies?: Component['dependencies']
 }
 
 export class Component implements Comparable<Component> {
@@ -72,7 +73,6 @@ export class Component implements Comparable<Component> {
   supplier?: OrganizationalEntity
   swid?: SWID
   version?: string
-  dependencies: BomRefRepository
   components: ComponentRepository
   properties: PropertyRepository
   evidence?: ComponentEvidence
@@ -83,6 +83,8 @@ export class Component implements Comparable<Component> {
   /** @see {@link cpe} */
   #cpe?: CPE
 
+  dependencies: BomRefRepository
+
   /**
    * @throws {@link TypeError} if `op.cpe` is neither {@link CPE} nor `undefined`
    */
@@ -103,11 +105,12 @@ export class Component implements Comparable<Component> {
     this.swid = op.swid
     this.version = op.version
     this.description = op.description
-    this.dependencies = op.dependencies ?? new BomRefRepository()
     this.components = op.components ?? new ComponentRepository()
     this.cpe = op.cpe
     this.properties = op.properties ?? new PropertyRepository()
     this.evidence = op.evidence
+
+    this.dependencies = op.dependencies ?? new BomRefRepository()
   }
 
   get bomRef (): BomRef {

src/models/index.ts

@@ -30,6 +30,7 @@ export * from './metadata'
 export * from './organizationalContact'
 export * from './organizationalEntity'
 export * from './property'
+export * from './service'
 export * from './swid'
 export * from './tool'
 export * as Vulnerability from './vulnerability'

src/models/service.ts

@@ -0,0 +1,100 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+import type { Comparable } from "../_helpers/sortable";
+import { SortableComparables } from "../_helpers/sortable";
+import { treeIteratorSymbol } from "../_helpers/tree";
+import { BomRef, BomRefRepository } from "./bomRef";
+import { ExternalReferenceRepository } from "./externalReference";
+import { LicenseRepository } from "./license";
+import type {OrganizationalEntity } from "./organizationalEntity";
+import { PropertyRepository } from "./property";
+
+export interface OptionalServiceProperties {
+  bomRef?: BomRef['value']
+  provider?: Service['provider']
+  group?: Service['group']
+  version?: Service['version']
+  description?: Service['description']
+  licenses?: Service['licenses']
+  externalReferences?: Service['externalReferences']
+  services?: Service['services']
+  properties?: Service['properties']
+
+  dependencies?: Service['dependencies']
+}
+
+export class Service implements Comparable<Service> {
+  provider?: OrganizationalEntity
+  group?: string
+  name: string
+  version?: string
+  description?: string
+  licenses: LicenseRepository
+  externalReferences: ExternalReferenceRepository
+  services: ServiceRepository
+  properties: PropertyRepository
+
+  /** @see {@link bomRef} */
+  readonly #bomRef: BomRef
+
+  dependencies: BomRefRepository
+
+  constructor(name: Service['name'], op: OptionalServiceProperties = {}) {
+    this.#bomRef = new BomRef(op.bomRef)
+    this.provider = op.provider
+    this.group = op.group
+    this.name = name
+    this.version = op.version
+    this.description = op.description
+    this.licenses = op.licenses ?? new LicenseRepository()
+    this.externalReferences = op.externalReferences ?? new ExternalReferenceRepository()
+    this.services = op.services ?? new ServiceRepository()
+    this.properties = op.properties ?? new PropertyRepository()
+
+    this.dependencies = op.dependencies ?? new BomRefRepository()
+  }
+
+  get bomRef(): BomRef {
+    return this.#bomRef
+  }
+
+  compare(other: Service): number {
+    // The purpose of this method is not to test for equality, but have deterministic comparability.
+    const bomRefCompare = this.bomRef.compare(other.bomRef)
+    if (bomRefCompare !== 0) {
+      return bomRefCompare
+    }
+    /* eslint-disable @typescript-eslint/strict-boolean-expressions -- run compares in weighted order */
+    return (this.group ?? '').localeCompare(other.group ?? '') ||
+      this.name.localeCompare(other.name) ||
+      (this.version ?? '').localeCompare(other.version ?? '')
+    /* eslint-enable  @typescript-eslint/strict-boolean-expressions */
+  }
+
+}
+
+export class ServiceRepository extends SortableComparables<Service> {
+  * [treeIteratorSymbol] (): Generator<Service> {
+    for (const service of this) {
+      yield service
+      yield * service.services[treeIteratorSymbol]()
+    }
+  }
+}

src/serialize/baseSerializer.ts

@@ -36,6 +36,12 @@ export abstract class BaseSerializer<NormalizedBom> implements Serializer {
     }
     // endregion from components
 
+    // region from services
+    for (const { bomRef } of bom.services[treeIteratorSymbol]()) {
+      yield bomRef
+    }
+    // endregion from services
+
     // region from vulnerabilities
     for (const { bomRef } of bom.vulnerabilities) {
       yield bomRef

src/serialize/json/normalize.ts

@@ -56,6 +56,10 @@ export class Factory {
     return new ComponentNormalizer(this)
   }
 
+  makeForService (): ServiceNormalizer {
+    return new ServiceNormalizer(this)
+  }
+
   makeForComponentEvidence (): ComponentEvidenceNormalizer {
     return new ComponentEvidenceNormalizer(this)
   }
@@ -189,6 +193,9 @@ export class BomNormalizer extends BaseJsonNormalizer<Models.Bom> {
         ? this._factory.makeForComponent().normalizeIterable(data.components, options)
         // spec < 1.4 requires `component` to be array
         : [],
+      services: this._factory.spec.supportsServices && data.services.size > 0
+        ? this._factory.makeForService().normalizeIterable(data.services, options)
+        : undefined,
       dependencies: this._factory.spec.supportsDependencyGraph
         ? this._factory.makeForDependencyGraph().normalize(data, options)
         : undefined,
@@ -406,6 +413,44 @@ export class ComponentNormalizer extends BaseJsonNormalizer<Models.Component> {
   }
 }
 
+export class ServiceNormalizer extends BaseJsonNormalizer<Models.Service> {
+  normalize (data: Models.Service, options: NormalizerOptions): Normalized.Service {
+    const spec = this._factory.spec
+    return {
+      'bom-ref': data.bomRef.value || undefined,
+      provider: data.provider
+        ? this._factory.makeForOrganizationalEntity().normalize(data.provider, options)
+        : undefined,
+      group: data.group,
+      name: data.name,
+      version: data.version|| undefined,
+      description: data.description || undefined,
+      licenses: data.licenses.size > 0
+        ? this._factory.makeForLicense().normalizeIterable(data.licenses, options)
+        : undefined,
+      externalReferences: data.externalReferences.size > 0
+        ? this._factory.makeForExternalReference().normalizeIterable(data.externalReferences, options)
+        : undefined,
+      services: data.services.size > 0
+        ? this._factory.makeForService().normalizeIterable(data.services, options)
+        : undefined,
+      properties: spec.supportsProperties(data) && data.properties.size > 0
+        ? this._factory.makeForProperty().normalizeIterable(data.properties, options)
+        : undefined,
+    }
+  }
+
+  normalizeIterable (data: SortableIterable<Models.Service>, options: NormalizerOptions): Normalized.Service[] {
+    return (
+      options.sortLists ?? false
+        ? data.sorted()
+        : Array.from(data)
+    ).map(
+      s => this.normalize(s, options)
+    )
+  }
+}
+
 export class ComponentEvidenceNormalizer extends BaseJsonNormalizer<Models.ComponentEvidence> {
   normalize (data: Models.ComponentEvidence, options: NormalizerOptions): Normalized.ComponentEvidence {
     return {
@@ -599,6 +644,9 @@ export class DependencyGraphNormalizer extends BaseJsonNormalizer<Models.Bom> {
     for (const component of data.components[treeIteratorSymbol]()) {
       allRefs.set(component.bomRef, component.dependencies)
     }
+    for (const service of data.services[treeIteratorSymbol]()) {
+      allRefs.set(service.bomRef, service.dependencies)
+    }
 
     const normalized: Normalized.Dependency[] = []
     for (const [ref, deps] of allRefs) {

src/serialize/json/types.ts

@@ -80,6 +80,7 @@ export namespace Normalized {
     serialNumber?: string
     metadata?: Metadata
     components?: Component[]
+    services?: Service[]
     externalReferences?: ExternalReference[]
     dependencies?: Dependency[]
     vulnerabilities?: Vulnerability[]
@@ -158,6 +159,19 @@ export namespace Normalized {
     properties?: Property[]
   }
 
+  export interface Service {
+    'bom-ref'?: RefType
+    provider?: OrganizationalEntity
+    group?: string
+    name: string
+    version?: string
+    description?: string
+    licenses?: License[]
+    externalReferences?: ExternalReference[]
+    services?: Service[]
+    properties?: Property[]
+  }
+
   export interface ComponentEvidence {
     licenses?: License[]
     copyright?: Copyright[]