feat: bom.vulnerabilities JSON normalization

[xmasoracle]

Introduce normalization of vulnerabilities for JSON for CDX>=1.4 .
This is part of #164 .

⚠️ Note that:
* It only adds support for a subset of properties of Models.Vulnerability.
* I made some Models.Vulnerability.* comparable, to be able to copy the implementation of normalizeIterable, but I am not really confident in what I did, and was unsure how to test it.

[jkowalleck]

quick review.
marked with ❌ are wrong and need to be fixed.

[jkowalleck]

Thank you for your work, @xmasoracle .

Your implementation appears promising, please continue.
Your test method is sufficient, just some cases are missing.

Please be informed: I will not merge this into master, unless

• all properties are normalized as expected
• normalization for XML and JSON is in place

I'll set this PR to "draft" until it is finished.

[jkowalleck]

@xmasoracle,
could you sign-off you commits? Read more here: https://github.com/CycloneDX/cyclonedx-javascript-library/blob/main/CONTRIBUTING.md#sign-off-your-commits
You can sign-off previous commits as described here: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/548/checks?check_run_id=12055103222

[jkowalleck]

implementation detail: as new rendering for BomRefs is added, they need to be discriminated.
add them to the existing collector:

cyclonedx-javascript-library/src/serialize/baseSerializer.ts

Lines 25 to 41 in b2abc1b

	#getAllBomRefs (bom: Bom): Iterable<BomRef> {
	const bomRefs = new Set<BomRef>()
	function iterComponents (cs: Iterable<Component>): void {
	for (const { bomRef, components } of cs) {
	bomRefs.add(bomRef)
	iterComponents(components)
	}
	}
	if (bom.metadata.component !== undefined) {
	bomRefs.add(bom.metadata.component.bomRef)
	iterComponents(bom.metadata.component.components)
	}
	iterComponents(bom.components)
	return bomRefs.values()
	}

[xmasoracle]

Hi @jkowalleck, I will not have time to work on the XML serialization part.
Could this be merged? I'm afraid it will linger here for months, and drift away from the main branch...

[jkowalleck]

nope, will not be merged any soon.

It contains breaking changes, and I do not want to release a set of breaking changes that is not complete.
Leave it open, and I might consider it for the next major release, if it was complete until then.
Time is not an issue.

PS: this is open source. Others might take it from here and complete the missing part.
Or even try it out and improve it in other ways.

[jkowalleck]

FYI: i will be working on #620 soon.

[jkowalleck]

BOM validators are now in place.
and they are part of existing integration tests. see #652

[jkowalleck]

JSON validation is now part of this library and all its test suites.

@xmasoracle please rebase your feature on latest main normalize-vulnerability branch and run the tests, to see if your feature passes the JSON schema. Your efforts are appreciated.

[jkowalleck]

adjusted PR target branch to be (normalize-vulnerability)[https://github.com/CycloneDX/cyclonedx-javascript-library/tree/normalize-vulnerability]

reason: multiple smaller PRs will come together to solve #164
see #722

[jkowalleck]

re: #issuecomment-1495568466
FYI: i will work on the XML serialization soon.