Expand description
Intermediate representation for normalized SBOMs.
This module defines the canonical data structures used for format-agnostic
SBOM comparison. Both CycloneDX and SPDX formats are normalized to these
structures before diff operations.
§Index Support
For efficient TUI operations on large SBOMs, use NormalizedSbomIndex
to precompute lookups:
ⓘ
let sbom = parse_sbom(&path)?;
let index = NormalizedSbomIndex::build(&sbom);
// O(1) dependency lookup instead of O(edges)
let deps = index.dependencies_of(&component_id, &sbom.edges);Structs§
- Annotation
- Annotation/comment
- Canonical
Id - Canonical identifier for a component.
- Canonical
IdResult - Result of canonical ID generation, including stability information
- Component
- Component in the normalized SBOM
- Component
Extensions - Component-level extensions
- Component
Identifiers - Component identifiers from various sources
- Component
Ref - A lightweight reference to a component, combining its stable ID with a human-readable display name.
- Component
Sort Key - Pre-computed lowercase strings for sorting without repeated allocations.
- Contact
- Contact information
- CraSidecar
Metadata - CRA sidecar metadata that supplements SBOM information
- Creator
- Creator information
- Cvss
Score - CVSS score information
- Dependency
Edge - Dependency edge between components
- Document
Metadata - Document-level metadata
- EolInfo
- End-of-life information for a component
- External
Reference - External reference
- Format
Extensions - Format-specific extensions that don’t map to the canonical model
- Hash
- Cryptographic hash
- KevInfo
- CISA Known Exploited Vulnerabilities (KEV) catalog information
- License
Evidence - License evidence from source scanning
- License
Expression - License expression following SPDX license expression syntax
- License
Info - License information for a component
- Normalized
Sbom - Normalized SBOM document - the canonical intermediate representation.
- Normalized
Sbom Index - Precomputed index for efficient SBOM queries.
- Organization
- Organization/supplier information
- Property
- Key-value property
- Remediation
- Remediation information
- Sbom
Index Builder - Builder for creating indexes with optional features.
- Signature
Info - Digital signature information for the SBOM document
- Staleness
Info - Staleness information for a component
- VexStatus
- VEX (Vulnerability Exploitability eXchange) status
- Vulnerability
Counts - Vulnerability counts by severity
- Vulnerability
Ref - Reference to a vulnerability affecting a component
- Vulnerability
Ref2 - A reference to a vulnerability with its associated component
Enums§
- Completeness
Declaration - Self-declared completeness level of the SBOM
- Component
Type - Component type classification
- CraSidecar
Error - Errors that can occur when loading sidecar metadata
- Creator
Type - Type of creator
- Cvss
Version - CVSS version
- Dependency
Scope - Dependency scope
- Dependency
Type - Dependency relationship type
- Ecosystem
- Ecosystem/package manager type
- EolStatus
- End-of-life status classification for components
- External
RefType - External reference types
- Hash
Algorithm - Hash algorithm types
- IdReliability
- Reliability level of component identification
- IdSource
- Source of the canonical identifier, ordered by reliability
- License
Family - License family classification
- Remediation
Type - Remediation type
- Sbom
Format - SBOM format type
- Severity
- Severity level
- Staleness
Level - Staleness level classification for dependencies
- VexJustification
- VEX justification for
not_affectedstatus - VexResponse
- VEX response type
- VexState
- VEX state
- Vulnerability
Source - Vulnerability database source