Merge remote-tracking branch 'origin/main' into feat/10.0.0-dev

Author: jkowalleck

.github/workflows/nodejs.yml

@@ -177,6 +177,10 @@ jobs:
           - ubuntu-latest
           - macos-latest
           - windows-latest
+        include:
+          - node: "25"
+            experimental: true
+    continue-on-error: ${{ matrix.experimental == true }}
     timeout-minutes: 10
     steps:
       - name: Checkout

HISTORY.md

@@ -44,7 +44,7 @@ All notable changes to this project will be documented in this file.
   * Deprecated symbol `Utils.LicenseUtility` ([#1346] via [#1377])
   * Deprecated symbol `Utils.LicenseUtility.FsUtils` ([#1346] via [#1377])  
     Use `Contrib.License.Utils.FsUtils` instead.
-  * Deprecated symbol `Utils.LicenseUtility.PathUtils` ([#1346] via [#1377])  
+  * Deprecated symbol `Utils.LicenseUtility.PathUtils` ([#1346] via [#1377])
   * Use `Contrib.License.Utils.PathUtils` instead.
   * Deprecated symbol `Utils.LicenseUtility.FileAttachment` ([#1346] via [#1377])  
     Use `Contrib.License.Utils.FileAttachment` instead.
@@ -69,25 +69,33 @@ All notable changes to this project will be documented in this file.
     Suggested implementation is `spdx-expression-parse`.
 * Dependencies
   * Dependency `packageurl-js` became a suggested (optional peer-dependency) library ([#1348] via [#1378])  
-    You may use it to craft and parse PackageURLs downstream. 
+    You may use it to craft and parse PackageURLs downstream.
   * Dependency `spdx-expression-parse` became a suggested (optional peer-dependency) library ([#1348] via [#1382])  
     Used as an injectable in `Contrib.License.Factories.LicenseFactory.constructor`.
-* Build
-  * Use _webpack_ `5.105.2` now, was `v5.103.0` (via [#1360], [#1374])
 * Chore
   * Set dev-engines in `package.json` ([#1301] via [#1380])
 
 [#1301]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1301
 [#1346]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1346
 [#1348]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/1348
-[#1360]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1360
-[#1374]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1374
 [#1377]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1377
 [#1378]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1378
 [#1379]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1379
 [#1380]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1380
 [#1382]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1382
 
+## 9.5.0 -- 2026-03-02
+
+* Added
+  * Classes `Models.NamedLicense` and `Models.SpdxLicense` support `properties` as per CycloneDX 1.5 (via [#1383])
+* Build
+  * Use _webpack_ `5.105.3` now, was `v5.103.0` (via [#1360], [#1374], [#1390])
+
+[#1360]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1360
+[#1374]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1374
+[#1383]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1383
+[#1390]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/1390
+
 ## 9.4.1 -- 2025-12-04
 
 * Fixed

package.json

@@ -134,7 +134,7 @@
     "@types/mocha": "^10",
     "@types/node": "ts5.7",
     "@types/spdx-expression-parse": "^3",
-    "c8": "^10",
+    "c8": "^11",
     "copyfiles": "^2.4.1",
     "deepmerge": "^4.2.2",
     "fast-glob": "^3.3.1",
@@ -144,7 +144,7 @@
     "rimraf": "^6",
     "ts-loader": "9.5.4",
     "typescript": "5.9.3",
-    "webpack": "5.105.2",
+    "webpack": "5.105.3",
     "webpack-cli": "6.0.1",
     "webpack-node-externals": "3.0.0"
   },

src/models/license.ts

@@ -21,6 +21,7 @@ import type { Sortable } from '../_helpers/sortable'
 import type { LicenseAcknowledgement } from '../enums/licenseAcknowledgement'
 import type { SpdxId } from '../spdx'
 import type { Attachment } from './attachment'
+import { PropertyRepository } from './property'
 
 /**
  * (SPDX) License Expression.
@@ -64,11 +65,13 @@ class DisjunctiveLicenseBase {
   acknowledgement?: LicenseAcknowledgement
   text?: Attachment
   #url?: URL | string
+  properties: PropertyRepository
 
   constructor (op: OptionalDisjunctiveLicenseProperties = {}) {
     this.acknowledgement = op.acknowledgement
     this.text = op.text
     this.url = op.url
+    this.properties = op.properties ?? new PropertyRepository()
   }
 
   get url (): URL | string | undefined {
@@ -86,6 +89,7 @@ interface OptionalDisjunctiveLicenseProperties {
   acknowledgement?: DisjunctiveLicenseBase['acknowledgement']
   text?: DisjunctiveLicenseBase['text']
   url?: DisjunctiveLicenseBase['url']
+  properties?: DisjunctiveLicenseBase['properties']
 }
 
 export interface OptionalNamedLicenseProperties extends OptionalDisjunctiveLicenseProperties {}

src/serialize/json/normalize.ts

@@ -529,36 +529,44 @@ export class LicenseNormalizer extends BaseJsonNormalizer<Models.License> {
   }
 
   #normalizeNamedLicense (data: Models.NamedLicense, options: NormalizerOptions): Normalized.NamedLicense {
+    const spec = this._factory.spec
     const url = escapeUri(data.url?.toString())
     return {
       license: {
         name: data.name,
-        acknowledgement: this._factory.spec.supportsLicenseAcknowledgement
+        acknowledgement: spec.supportsLicenseAcknowledgement
           ? data.acknowledgement
           : undefined,
         text: data.text === undefined
           ? undefined
           : this._factory.makeForAttachment().normalize(data.text, options),
         url: JsonSchema.isIriReference(url)
           ? url
+          : undefined,
+        properties: spec.supportsProperties(data) && data.properties.size > 0
+          ? this._factory.makeForProperty().normalizeIterable(data.properties, options)
           : undefined
       }
     }
   }
 
   #normalizeSpdxLicense (data: Models.SpdxLicense, options: NormalizerOptions): Normalized.SpdxLicense {
+    const spec = this._factory.spec
     const url = escapeUri(data.url?.toString())
     return {
       license: {
         id: data.id,
-        acknowledgement: this._factory.spec.supportsLicenseAcknowledgement
+        acknowledgement: spec.supportsLicenseAcknowledgement
           ? data.acknowledgement
           : undefined,
         text: data.text === undefined
           ? undefined
           : this._factory.makeForAttachment().normalize(data.text, options),
         url: JsonSchema.isIriReference(url)
           ? url
+          : undefined,
+        properties: spec.supportsProperties(data) && data.properties.size > 0
+          ? this._factory.makeForProperty().normalizeIterable(data.properties, options)
           : undefined
       }
     }

src/serialize/json/types.ts

@@ -196,6 +196,7 @@ export namespace Normalized {
       acknowledgement?: Enums.LicenseAcknowledgement
       text?: Attachment
       url?: string
+      properties?: Property[]
     }
   }
 
@@ -206,6 +207,7 @@ export namespace Normalized {
       acknowledgement?: Enums.LicenseAcknowledgement
       text?: Attachment
       url?: string
+      properties?: Property[]
     }
   }
 

src/serialize/xml/normalize.ts

@@ -699,12 +699,20 @@ export class LicenseNormalizer extends BaseXmlNormalizer<Models.License> {
   }
 
   #normalizeNamedLicense (data: Models.NamedLicense, options: NormalizerOptions): SimpleXml.Element {
-    const url = escapeUri(data.url?.toString())
+    const spec = this._factory.spec
+    const url = escapeUri(data.url?.toString()) 
+    const properties: SimpleXml.Element | undefined = spec.supportsProperties(data) && data.properties.size > 0
+      ? {
+        type: 'element',
+        name: 'properties',
+        children: this._factory.makeForProperty().normalizeIterable(data.properties, options, 'property')
+      }
+      : undefined
     return {
       type: 'element',
       name: 'license',
       attributes: {
-        acknowledgement: this._factory.spec.supportsLicenseAcknowledgement
+        acknowledgement: spec.supportsLicenseAcknowledgement
           ? data.acknowledgement
           : undefined
       },
@@ -715,18 +723,27 @@ export class LicenseNormalizer extends BaseXmlNormalizer<Models.License> {
           : this._factory.makeForAttachment().normalize(data.text, options, 'text'),
         XmlSchema.isAnyURI(url)
           ? makeTextElement(url, 'url')
-          : undefined
+          : undefined,
+        properties
       ].filter(isNotUndefined)
     }
   }
 
   #normalizeSpdxLicense (data: Models.SpdxLicense, options: NormalizerOptions): SimpleXml.Element {
-    const url = escapeUri(data.url?.toString())
+    const spec = this._factory.spec
+    const url = escapeUri(data.url?.toString())    
+    const properties: SimpleXml.Element | undefined = spec.supportsProperties(data) && data.properties.size > 0
+      ? {
+        type: 'element',
+        name: 'properties',
+        children: this._factory.makeForProperty().normalizeIterable(data.properties, options, 'property')
+      }
+      : undefined
     return {
       type: 'element',
       name: 'license',
       attributes: {
-        acknowledgement: this._factory.spec.supportsLicenseAcknowledgement
+        acknowledgement: spec.supportsLicenseAcknowledgement
           ? data.acknowledgement
           : undefined
       },
@@ -737,7 +754,8 @@ export class LicenseNormalizer extends BaseXmlNormalizer<Models.License> {
           : this._factory.makeForAttachment().normalize(data.text, options, 'text'),
         XmlSchema.isAnyURI(url)
           ? makeTextElement(url, 'url')
-          : undefined
+          : undefined,
+        properties
       ].filter(isNotUndefined)
     }
   }

src/spec/_protocol.ts

@@ -18,7 +18,7 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
 import type { ComponentType, ExternalReferenceType, HashAlgorithm, Vulnerability } from '../enums'
-import type { HashContent } from '../models'
+import { type HashContent, NamedLicense, SpdxLicense } from '../models'
 import type { Format, Version } from './enums'
 
 /**
@@ -79,6 +79,7 @@ export class _Spec implements _SpecProtocol {
   readonly #supportsLicenseAcknowledgement: boolean
   readonly #supportsServices: boolean
   readonly #supportsToolsComponentsServices: boolean
+  readonly #supportsLicenseProperties: boolean
 
   /* eslint-disable-next-line @typescript-eslint/max-params -- architectural decision */
   constructor (
@@ -101,7 +102,8 @@ export class _Spec implements _SpecProtocol {
     supportsExternalReferenceHashes: boolean,
     supportsLicenseAcknowledgement: boolean,
     supportsServices: boolean,
-    supportsToolsComponentsServices: boolean
+    supportsToolsComponentsServices: boolean,
+    supportsLicenseProperties: boolean
   ) {
     this.#version = version
     this.#formats = new Set(formats)
@@ -123,6 +125,7 @@ export class _Spec implements _SpecProtocol {
     this.#supportsLicenseAcknowledgement = supportsLicenseAcknowledgement
     this.#supportsServices = supportsServices
     this.#supportsToolsComponentsServices = supportsToolsComponentsServices
+    this.#supportsLicenseProperties = supportsLicenseProperties
   }
 
   get version (): Version {
@@ -166,9 +169,13 @@ export class _Spec implements _SpecProtocol {
     return this.#requiresComponentVersion
   }
 
-  supportsProperties (): boolean {
-    // currently a global allow/deny -- might work based on input, in the future
-    return this.#supportsProperties
+  supportsProperties (model: any): boolean {
+    switch (true) {
+      case model instanceof NamedLicense || model instanceof SpdxLicense:
+        return this.#supportsLicenseProperties 
+      default:
+        return this.#supportsProperties
+    }
   }
 
   get supportsVulnerabilities (): boolean {

src/spec/consts.ts

@@ -89,6 +89,7 @@ export const Spec1dot2: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   false,
   false,
   true,
+  false,
   false
 ))
 
@@ -154,6 +155,7 @@ export const Spec1dot3: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   true,
   false,
   true,
+  false,
   false
 ))
 
@@ -226,6 +228,7 @@ export const Spec1dot4: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   true,
   false,
   true,
+  false,
   false
 ))
 
@@ -327,6 +330,7 @@ export const Spec1dot5: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   true,
   false,
   true,
+  true,
   true
 ))
 
@@ -433,6 +437,7 @@ export const Spec1dot6: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   true,
   true,
   true,
+  true,
   true
 ))
 
@@ -547,6 +552,7 @@ export const Spec1dot7: Readonly<_SpecProtocol> = Object.freeze(new _Spec(
   true,
   true,
   true,
+  true,
   true
 ))
 

tests/_data/models.js

@@ -156,7 +156,11 @@ function createComplexStructure () {
         contentType: 'text/plain',
         encoding: Enums.AttachmentEncoding.Base64
       }),
-      url: 'https://localhost/license'
+      url: 'https://localhost/license',
+      properties: new Models.PropertyRepository([
+        new Models.Property('a', 'b'),
+        new Models.Property('primaryLicense', 'true')
+      ])
     }))
     component.licenses.add((function (license) {
       license.text = new Models.Attachment('TUlUIExpY2Vuc2UKLi4uClRIRSBTT0ZUV0FSRSBJUyBQUk9WSURFRCAiQVMgSVMiLi4u')
@@ -165,7 +169,12 @@ function createComplexStructure () {
       license.url = new URL('https://spdx.org/licenses/MIT.html')
       license.acknowledgement = Enums.LicenseAcknowledgement.Declared
       return license
-    })(new Models.SpdxLicense('MIT')))
+    })(new Models.SpdxLicense('MIT', {
+      properties: new Models.PropertyRepository([
+        new Models.Property('c', 'd'),
+        new Models.Property('primaryLicense', 'false')
+      ])
+    })))
     component.publisher = 'the publisher'
     component.purl = 'pkg:npm/acme/dummy-component@1337-beta'
     component.scope = Enums.ComponentScope.Required