Skip to main content

Sbom

Struct Sbom

pub struct Sbom {
    pub metadata: Metadata,
    pub components: IndexMap<ComponentId, Component>,
    pub dependencies: BTreeMap<ComponentId, BTreeSet<ComponentId>>,
}

Expand description

Format-agnostic SBOM (Software Bill of Materials) representation.

This is the central type that holds all components and their relationships. It abstracts over format-specific details from CycloneDX, SPDX, and other formats.

§Example

use sbom_model::{Sbom, Component};

let mut sbom = Sbom::default();
let component = Component::new("serde".into(), Some("1.0.0".into()));
sbom.components.insert(component.id.clone(), component);

Fields§

§metadata: Metadata

Document-level metadata (creation time, tools, authors).

§components: IndexMap<ComponentId, Component>

All components indexed by their stable identifier.

§dependencies: BTreeMap<ComponentId, BTreeSet<ComponentId>>

Dependency graph as adjacency list: parent -> set of children.

Implementations§

impl Sbom

pub fn normalize(&mut self)

Normalizes the SBOM for deterministic comparison.

This method:

Sorts components by ID
Deduplicates and sorts licenses within each component
Lowercases hash algorithms and values
Clears volatile metadata (timestamps, tools, authors)

Call this before comparing two SBOMs to ignore irrelevant differences.

pub fn roots(&self) -> Vec<ComponentId>

Returns root components (those not depended on by any other component).

These are typically the top-level packages or applications in the SBOM.

pub fn deps(&self, id: &ComponentId) -> Vec<ComponentId>

Returns direct dependencies of the given component.

pub fn rdeps(&self, id: &ComponentId) -> Vec<ComponentId>

Returns reverse dependencies (components that depend on the given component).

pub fn transitive_deps(&self, id: &ComponentId) -> BTreeSet<ComponentId>

Returns all transitive dependencies of the given component.

Traverses the dependency graph depth-first and returns all reachable components.

pub fn ecosystems(&self) -> BTreeSet<String>

Returns all unique ecosystems present in the SBOM.

pub fn licenses(&self) -> BTreeSet<String>

Returns all unique licenses present across all components.

pub fn missing_hashes(&self) -> Vec<ComponentId>

Returns components that have no checksums/hashes.

Useful for identifying components that may need integrity verification.

pub fn by_purl(&self, purl: &str) -> Option<&Component>

Finds a component by its package URL.

Trait Implementations§

impl Clone for Sbom

fn clone(&self) -> Sbom

Returns a duplicate of the value. Read more

1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more

impl Debug for Sbom

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

impl Default for Sbom

fn default() -> Self

Returns the “default value” for a type. Read more

impl<'de> Deserialize<'de> for Sbom

fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more

impl PartialEq for Sbom

fn eq(&self, other: &Sbom) -> bool

Tests for self and other values to be equal, and is used by ==.

1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for Sbom

fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
where S: Serializer,

Serialize this value into the given Serde serializer. Read more

impl Eq for Sbom

impl StructuralPartialEq for Sbom

Auto Trait Implementations§

impl Freeze for Sbom

impl RefUnwindSafe for Sbom

impl Send for Sbom

impl Sync for Sbom

impl Unpin for Sbom

impl UnwindSafe for Sbom

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> CloneToUninit for T
where T: Clone,

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)

Performs copy-assignment from self to dest. Read more

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

fn equivalent(&self, key: &K) -> bool

Checks if this value is equivalent to the given key. Read more

impl<Q, K> Equivalent<K> for Q
where Q: Eq + ?Sized, K: Borrow<Q> + ?Sized,

fn equivalent(&self, key: &K) -> bool

Compare self to key and return true if they are equal.

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T> Same for T

type Output = T

Should always be Self

impl<T> ToOwned for T
where T: Clone,

type Owned = T

The resulting type after obtaining ownership.

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,