validate

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

Author: jkowalleck

.github/workflows/nodejs.yml

@@ -455,6 +455,7 @@ jobs:
         run: npm run build
         working-directory: ${{ env.EXAMPLE_DIR }}
 
+
   api-doc:
     name: api-doc ${{ matrix.target }}
     runs-on: "ubuntu-latest"
@@ -487,3 +488,31 @@ jobs:
           echo "::endgroup::"
       - name: api-doc ${{ matrix.target }}
         run: npm run api-doc:${{ matrix.target }}
+
+
+  validate-VEX-VDR:
+    needs: [ 'build' ]
+    name: validate VEX/VDR
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
+        # see https://github.com/actions/setup-node
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_ACTIVE_LTS }}
+      - name: fetch build artifact 'node'
+        # see https://github.com/actions/download-artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: dist.node
+          path: dist.node
+      - name: setup library
+        run: npm i --ignore-scripts --omit=dev --include=optional --loglevel=silly
+        working-directory: tools/cdx-json-schema-validator
+      - name: validate
+        run: node tools/cdx-json-schema-validator/validate.js SECURITY.cdx.json
+

security.cdx.json renamed to SECURITY.cdx.json

@@ -0,0 +1,6 @@
+*
+!/.gitignore
+!/package.json
+!/validate.js
+!/.npmrc
+!/eslint.config.mjs

tools/cdx-json-schema-validator/.gitignore

@@ -0,0 +1,5 @@
+; see the docs: https://docs.npmjs.com/cli/v9/using-npm/config
+
+package-lock=false
+engine-strict=true
+omit=peer # don't install them automatically; we take cate of them!

tools/cdx-json-schema-validator/.npmrc

@@ -0,0 +1,37 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+import baseCfg, { globals } from '../code-style/eslint.config.mjs'
+
+/* eslint-disable jsdoc/valid-types */
+
+/**
+ * @type {import('@types/eslint').Linter.FlatConfig[]}
+ * @see {@link https://eslint.org/}
+ */
+export default [
+  ...baseCfg,
+  {
+    files: ['**/*.js'],
+    languageOptions: {
+      sourceType: 'module',
+      globals: globals.node,
+    }
+  },
+]

tools/cdx-json-schema-validator/eslint.config.mjs

@@ -0,0 +1,17 @@
+{
+  "private": true,
+  "name": "@cyclonedx/cyclonedx-javascript-library/tools/cdx-json-schema-validator",
+  "license": "Apache-2.0",
+  "type": "module",
+  "main": "validate.js",
+  "dependencies": {
+    "@cyclonedx/cyclonedx-library": "file:../.."
+  },
+  "scripts": {
+    "download": "node download.js",
+    "cs-fix": "npm --prefix ../code-style exec -- eslint --fix ."
+  },
+  "engines": {
+    "node": ">=20.18"
+  }
+}

tools/cdx-json-schema-validator/package.json

@@ -0,0 +1,45 @@
+/*!
+This file is part of CycloneDX JavaScript Library.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+SPDX-License-Identifier: Apache-2.0
+Copyright (c) OWASP Foundation. All Rights Reserved.
+*/
+
+import CDX from "@cyclonedx/cyclonedx-library"
+import {readFile} from 'node:fs/promises';
+
+const args = process.argv.slice(2);
+if (args.length !== 1) {
+  console.error("missing args");
+  process.exit(1);
+}
+const [filePath] = args
+console.debug('filePath', filePath)
+
+const json = await readFile(filePath, 'utf8')
+const data = JSON.parse(json);
+
+const CDX_JSON_SCHEMA_RE = /^http:\/\/cyclonedx\.org\/schema\/bom\-(\d+\.\d+)\.schema\.json$/
+const specVersion = data['$schema'].match(CDX_JSON_SCHEMA_RE)[1]
+const validator = new CDX.Validation.JsonStrictValidator(specVersion)
+
+const validationError = await validator.validate(json)
+if (validationError !== null) {
+  console.error('validation error', validationError)
+  process.exit(2);
+}
+
+console.info('valid')
+process.exit(0)