feat: tools as components

package.json

@@ -47,7 +47,7 @@
     }
   ],
   "dependencies": {
-    "@cyclonedx/cyclonedx-library": "^6.11.0",
+    "@cyclonedx/cyclonedx-library": "^7.0.0",
     "commander": "^10.0.0",
     "normalize-package-data": "^3||^4||^5||^6",
     "xmlbuilder2": "^3.0.2"

src/builders.ts

@@ -45,7 +45,6 @@ type cPath = string
 type AllComponents = Map<cPath, Models.Component>
 
 export class BomBuilder {
-  toolBuilder: Builders.FromNodePackageJson.ToolBuilder
   componentBuilder: Builders.FromNodePackageJson.ComponentBuilder
   treeBuilder: TreeBuilder
   purlFactory: Factories.FromNodePackageJson.PackageUrlFactory
@@ -63,14 +62,12 @@ export class BomBuilder {
   console: Console
 
   constructor (
-    toolBuilder: BomBuilder['toolBuilder'],
     componentBuilder: BomBuilder['componentBuilder'],
     treeBuilder: BomBuilder['treeBuilder'],
     purlFactory: BomBuilder['purlFactory'],
     options: BomBuilderOptions,
     console_: BomBuilder['console']
   ) {
-    this.toolBuilder = toolBuilder
     this.componentBuilder = componentBuilder
     this.treeBuilder = treeBuilder
     this.purlFactory = purlFactory
@@ -230,14 +227,14 @@ export class BomBuilder {
 
     bom.metadata.component = rootComponent
 
-    bom.metadata.tools.add(new Models.Tool({
-      name: 'npm',
-      version: npmVersion // use the self-proclaimed `version`
-      // omit `vendor` and `externalReferences`, because we cannot be sure about the used tool's actual origin
+    bom.metadata.tools.components.add(new Models.Component(
+      Enums.ComponentType.Application, 'npm', {
+        version: npmVersion // use the self-proclaimed `version`
+      // omit `group` and `externalReferences`, because we cannot be sure about the used tool's actual origin
       // omit `hashes`, because unfortunately there is no agreed process of generating them
-    }))
-    for (const tool of this.makeTools()) {
-      bom.metadata.tools.add(tool)
+      }))
+    for (const toolC of this.makeToolCs()) {
+      bom.metadata.tools.components.add(toolC)
     }
 
     if (!this.reproducible) {
@@ -602,8 +599,10 @@ export class BomBuilder {
     }
   }
 
-  private * makeTools (): Generator<Models.Tool> {
-    const packageJsonPaths = [path.resolve(module.path, '..', 'package.json')]
+  private * makeToolCs (): Generator<Models.Component> {
+    const packageJsonPaths: Array<[string, Enums.ComponentType]> = [
+      [path.resolve(module.path, '..', 'package.json'), Enums.ComponentType.Application]
+    ]
 
     const libs = [
       '@cyclonedx/cyclonedx-library'
@@ -615,19 +614,19 @@ export class BomBuilder {
       for (const nodeModulePath of nodeModulePaths) {
         const packageJsonPath = path.resolve(nodeModulePath, ...lib, 'package.json')
         if (existsSync(packageJsonPath)) {
-          packageJsonPaths.push(packageJsonPath)
+          packageJsonPaths.push([packageJsonPath, Enums.ComponentType.Library])
           continue libsLoop
         }
       }
     }
     /* eslint-enable no-labels */
 
-    for (const packageJsonPath of packageJsonPaths) {
+    for (const [packageJsonPath, cType] of packageJsonPaths) {
       const packageData: object = loadJsonFile(packageJsonPath) ?? {}
       normalizePackageData(packageData /* add debug for warnings? */)
-      const tool = this.toolBuilder.makeTool(packageData)
-      if (tool !== undefined) {
-        yield tool
+      const toolC = this.componentBuilder.makeComponent(packageData, cType)
+      if (toolC !== undefined) {
+        yield toolC
       }
     }
   }

src/cli.ts

@@ -238,13 +238,10 @@ export async function run (process: NodeJS.Process): Promise<number> {
     throw new Error('missing evidence')
   }
 
-  const extRefFactory = new Factories.FromNodePackageJson.ExternalReferenceFactory()
-
   myConsole.log('LOG   | gathering BOM data ...')
   const bom = new BomBuilder(
-    new Builders.FromNodePackageJson.ToolBuilder(extRefFactory),
     new Builders.FromNodePackageJson.ComponentBuilder(
-      extRefFactory,
+      new Factories.FromNodePackageJson.ExternalReferenceFactory(),
       new Factories.LicenseFactory()
     ),
     new TreeBuilder(),