feat: initial implementation; trim CDX SBOM, convert CDX XML to JSON, convert SPDX to CDX

[rlmestre]

feat: initial implementation; trim CDX SBOM, convert CDX XML to JSON, convert SPDX to CDX

Closes neverendingsupport/data-and-integrations#124

[Copilot]

Pull Request Overview

This PR implements the initial version of a TypeScript library for SBOM (Software Bill of Materials) processing with three main capabilities: trimming CycloneDX BOMs to remove unnecessary data, converting CycloneDX XML to JSON format, and converting SPDX BOMs to CycloneDX format. The implementation provides complete TypeScript support with comprehensive test coverage.

• Initial project setup with TypeScript, testing, and CI/CD configuration
• Core SBOM processing utilities for trimming, format conversion, and SPDX-to-CycloneDX transformation
• Comprehensive test coverage with over 1400 test cases covering various conversion scenarios

Reviewed Changes

Copilot reviewed 24 out of 37 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/trim-cdx-bom.mts	Core function to remove externalReferences, evidence, hashes, and properties from CycloneDX components
src/spdx-to-cdx.mts	Complex converter that transforms SPDX BOMs to CycloneDX format with component mapping and dependency relationships
src/cdx-xml-to-json.mts	XML parser that converts CycloneDX XML format to JSON with proper structure handling
src/types/bom/spdx-2.3.schema.ts	Generated TypeScript interfaces for SPDX 2.3 schema validation
package.json	Project configuration with dependencies and build scripts
tsconfig.build.json	TypeScript build configuration for production output

Comments suppressed due to low confidence (5)

src/spdx-to-cdx.mts:81

• [nitpick] The variable name 'versionMatch' could be more descriptive. Consider renaming to 'toolVersionMatch' or 'toolNameVersionMatch' to better indicate it matches both name and version components.

          const versionMatch = toolString.match(TOOL_NAME_REGEX);

src/spdx-to-cdx.mts:95

• [nitpick] The variable name 'p' is ambiguous and unclear. It should be renamed to 'pkg' or 'spdxPackage' to better indicate it represents a package.

  for (const p of spdx.packages ?? []) {

src/spdx-to-cdx.mts:174

• [nitpick] The variable name 'r' is ambiguous and unclear. It should be renamed to 'relationship' to better indicate what it represents.

  for (const r of spdx.relationships ?? []) {

src/cdx-xml-to-json.mts:109

• [nitpick] The variable name 'childValue' is somewhat ambiguous in this context. Consider renaming to 'collectionItems' or 'arrayItems' to better reflect that it contains the items within a collection.

      const childValue = value[childKey];

src/cdx-xml-to-json.mts:132

• [nitpick] The parameter name 'dep' could be more descriptive. Consider renaming to 'dependency' for better readability.

        result[key] = dependencies.map((dep) => {