chore: update deps

Makefile

@@ -9,12 +9,15 @@ help: ## This help.
 SEMGREP_ARGS=--use-git-ignore --metrics=off --force-color --disable-version-check --experimental --dataflow-traces --sarif --timeout=0
 SEMGREP_RULES=-c p/default -c p/python -c p/php -c p/c -c p/rust -c p/apex -c p/nginx -c p/terraform -c p/csharp -c p/nextjs -c p/golang -c p/nodejs -c p/kotlin -c p/django -c p/docker -c p/kubernetes -c p/lockfiles -c p/supply-chain -c p/headless-browser -c p/expressjs -c p/cpp-audit -c p/mobsfscan -c p/ruby -c p/java -c p/javascript -c p/typescript -c p/bandit -c p/flask -c p/gosec -c p/flawfinder -c p/gitleaks -c p/eslint -c p/phpcs-security-audit -c p/react -c p/brakeman -c p/findsecbugs -c p/secrets -c p/sql-injection -c p/jwt -c p/insecure-transport -c p/command-injection -c p/security-code-scan -c p/xss
 
+clean: ## Cleanup tmp files
+	@find . -type f -name '*.DS_Store' -delete 2>/dev/null
+
 setup: ## Basic nodejs install
-	nvm use --lts
+	nvm install --lts
 	npm i
 	npm audit fix --force --include=dev
 
-publish: ## upload to npm.org
+publish: clean ## upload to npm.org
 	npm publish
 	git commit -a -s -m 'feat: v$(shell node -e "console.log(require('./package.json').version)")'
 	git tag --force v$(shell node -e "console.log(require('./package.json').version)")
@@ -25,6 +28,6 @@ sarif: ## generate SARIF from Semgrep for this project
 	osv-scanner --format sarif --call-analysis=all -r . | jq >osv.sarif.json
 	semgrep $(SEMGREP_ARGS) $(SEMGREP_RULES) | jq >semgrep.sarif.json
 
-sbom: ## generate CycloneDX and convert it to SPDX
-	npm sbom --package-lock-only --omit dev --sbom-format cyclonedx | jq > sbom.cdx.json
-	cyclonedx convert --input-file sbom.cdx.json --output-file sbom.spdx.json
+sbom: ## generate CycloneDX from NPM for this project
+	npm sbom --omit dev --package-lock-only --sbom-format cyclonedx | jq >npm.cdx.json
+	npm sbom --omit dev --package-lock-only --sbom-format spdx | jq >npm.spdx.json

sbom.cdx.json → npm.cdx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:bd977240-1a14-43c5-968b-7277aa5d18e4",
+  "serialNumber": "urn:uuid:af2c5c39-527a-4b8d-917d-de19ac0660e7",
   "version": 1,
   "metadata": {
-    "timestamp": "2024-07-13T15:38:38.418Z",
+    "timestamp": "2024-09-04T13:32:56.645Z",
     "lifecycles": [
       {
         "phase": "pre-build"
@@ -15,18 +15,18 @@
       {
         "vendor": "npm",
         "name": "cli",
-        "version": "10.7.0"
+        "version": "10.8.2"
       }
     ],
     "component": {
-      "bom-ref": "[email protected].0",
+      "bom-ref": "[email protected].1",
       "type": "library",
       "name": "typescript-ssvc",
-      "version": "0.1.0",
+      "version": "0.1.1",
       "scope": "required",
       "author": "Christopher Langton",
       "description": "TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization). A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS",
-      "purl": "pkg:npm/[email protected].0",
+      "purl": "pkg:npm/[email protected].1",
       "properties": [
         {
           "name": "cdx:npm:package:path",
@@ -81,6 +81,13 @@
           "alg": "SHA-512",
           "content": "908b38f22b6635e864ccb9346095bf2df236f95158972b1c1ac63ea033429f1ac37e47b1fce7d8515d62a7b2fb60837ba694aa8f656638eb2c896f35467a3d40"
         }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
       ]
     },
     {
@@ -107,12 +114,19 @@
           "alg": "SHA-512",
           "content": "5c1c7d01785792d8d4aa77a9813884e5f95c2886168bfae67b411a8fee58d257edb8606afa3c91bbf99de169eec6a80fd6e6dda4d0ac60460fc6bcd51c3f1dea"
         }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
       ]
     }
   ],
   "dependencies": [
     {
-      "ref": "[email protected].0",
+      "ref": "[email protected].1",
       "dependsOn": [
         "[email protected]",
         "[email protected]"

npm.spdx.json

@@ -0,0 +1,100 @@
+{
+  "spdxVersion": "SPDX-2.3",
+  "dataLicense": "CC0-1.0",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "[email protected]",
+  "documentNamespace": "http://spdx.org/spdxdocs/ssvc-0.1.1-6726c8fa-6867-46f6-a2ed-6ef7f449bbaf",
+  "creationInfo": {
+    "created": "2024-09-04T13:32:57.001Z",
+    "creators": [
+      "Tool: npm/cli-10.8.2"
+    ]
+  },
+  "documentDescribes": [
+    "SPDXRef-Package-ssvc-0.1.1"
+  ],
+  "packages": [
+    {
+      "name": "ssvc",
+      "SPDXID": "SPDXRef-Package-ssvc-0.1.1",
+      "versionInfo": "0.1.1",
+      "packageFileName": "",
+      "description": "TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization). A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS",
+      "primaryPackagePurpose": "LIBRARY",
+      "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
+      "homepage": "https://github.com/trivialsec/typescript-ssvc#readme",
+      "licenseDeclared": "MIT",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:npm/[email protected]"
+        }
+      ]
+    },
+    {
+      "name": "ts-enum-util",
+      "SPDXID": "SPDXRef-Package-ts-enum-util-4.1.0",
+      "versionInfo": "4.1.0",
+      "packageFileName": "node_modules/ts-enum-util",
+      "downloadLocation": "https://registry.npmjs.org/ts-enum-util/-/ts-enum-util-4.1.0.tgz",
+      "filesAnalyzed": false,
+      "homepage": "NOASSERTION",
+      "licenseDeclared": "MIT",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:npm/[email protected]"
+        }
+      ],
+      "checksums": [
+        {
+          "algorithm": "SHA512",
+          "checksumValue": "908b38f22b6635e864ccb9346095bf2df236f95158972b1c1ac63ea033429f1ac37e47b1fce7d8515d62a7b2fb60837ba694aa8f656638eb2c896f35467a3d40"
+        }
+      ]
+    },
+    {
+      "name": "zod",
+      "SPDXID": "SPDXRef-Package-zod-3.23.8",
+      "versionInfo": "3.23.8",
+      "packageFileName": "node_modules/zod",
+      "downloadLocation": "https://registry.npmjs.org/zod/-/zod-3.23.8.tgz",
+      "filesAnalyzed": false,
+      "homepage": "NOASSERTION",
+      "licenseDeclared": "MIT",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:npm/[email protected]"
+        }
+      ],
+      "checksums": [
+        {
+          "algorithm": "SHA512",
+          "checksumValue": "5c1c7d01785792d8d4aa77a9813884e5f95c2886168bfae67b411a8fee58d257edb8606afa3c91bbf99de169eec6a80fd6e6dda4d0ac60460fc6bcd51c3f1dea"
+        }
+      ]
+    }
+  ],
+  "relationships": [
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relatedSpdxElement": "SPDXRef-Package-ssvc-0.1.1",
+      "relationshipType": "DESCRIBES"
+    },
+    {
+      "spdxElementId": "SPDXRef-Package-ts-enum-util-4.1.0",
+      "relatedSpdxElement": "SPDXRef-Package-ssvc-0.1.1",
+      "relationshipType": "DEPENDENCY_OF"
+    },
+    {
+      "spdxElementId": "SPDXRef-Package-zod-3.23.8",
+      "relatedSpdxElement": "SPDXRef-Package-ssvc-0.1.1",
+      "relationshipType": "DEPENDENCY_OF"
+    }
+  ]
+}

osv.sarif.json

@@ -1,14 +1,14 @@
 {
   "version": "2.1.0",
-  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
   "runs": [
     {
       "tool": {
         "driver": {
           "informationUri": "https://github.com/google/osv-scanner",
           "name": "osv-scanner",
           "rules": [],
-          "version": "1.7.4"
+          "version": "1.8.3"
         }
       },
       "results": []