Skip to content

Add support for serde traits to cyclonedx-bom types#868

Open
Naxdy wants to merge 1 commit into
CycloneDX:mainfrom
DeterminateSystems:feat/serde-traits
Open

Add support for serde traits to cyclonedx-bom types#868
Naxdy wants to merge 1 commit into
CycloneDX:mainfrom
DeterminateSystems:feat/serde-traits

Conversation

@Naxdy
Copy link
Copy Markdown

@Naxdy Naxdy commented May 15, 2026
edited
Loading

Though the intended way to interact with the crate is to use the individual serialization functions for the different specs, sometimes it is desirable to parse into the main types directly when working with custom intermediate formats, or to only (de-)serialize part of a BOM (e.g. only vulnerabilities).

This PR adds optional Serialize and Deserialize derives to the main Bom struct and all others that require it, but only when compiling with the serde feature. The serde feature is opt-in, so as to preserve the current default behavior, and avoid potentially confusing new users with the intended usage.

@Naxdy Naxdy requested a review from a team as a code owner May 15, 2026 14:30
@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented May 15, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 4 duplication

Metric Results
Complexity 0
Duplication 4

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@Naxdy Naxdy force-pushed the feat/serde-traits branch from 207b555 to 4f34e4a Compare May 15, 2026 14:31
@Shnatsel
Copy link
Copy Markdown
Contributor

Shnatsel commented May 15, 2026

Could you explain the motivation behind this change?

This looks like a different take on #802 but I'd like to hear what your use cases are like.

@Naxdy
Add support for serde traits to cyclonedx-bom types
6b2fd1c 
Signed-off-by: Naxdy <naxdy@naxdy.org>
@Naxdy Naxdy force-pushed the feat/serde-traits branch from 4f34e4a to 6b2fd1c Compare May 15, 2026 15:58
@Naxdy
Copy link
Copy Markdown
Author

Naxdy commented May 15, 2026

Our use case is an SBOM generation tool that supports merging the final BOM with manual annotations. Currently this includes VEX metadata and subcomponents. Our data sources output partial data that we would like to deserialize into the cyclonedx_bom types and merge them with the types we construct within our Rust code.

Currently, we're using our own newtypes and have impl From<OurType> for CycloneDxType blocks for every corresponding type. As you can imagine, this is quite the effort to maintain.

The alternative would be to parse into the parent Bom type directly, but that would require us to extract the subtypes we care about and perform a lot of unnecessary pattern matching around Options when we know we won't need it.

Basically, we'd like to be able to do something like this:

#[derive(Serialize, Deserialize)]
struct CustomMeta {
  vulnerabilities: Vec<Vulnerability>,
  subcomponents: Vec<Component>,
  // ...
}

As a side note, @RossComputerGuy is a colleague of mine, and the SBOM tool referenced in #802 and in this comment are one and the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Naxdy @Shnatsel