Module build 

Manifest + applied-set → OpenVEX Document builder.

The grouping rule (one statement per vulnerability ID) means we transpose the manifest: it stores PURL -> { vulnId -> info }, but VEX wants vulnId -> { products (and subcomponents) }. We do that transpose once, then sort to keep output deterministic.

GHSA naming convention: we use the vuln-ID key (typically GHSA-xxxx) as Vulnerability.name and the cves array as aliases. If a single manifest entry has both — the manifest’s key and cves — the latter become aliases. When two patches fix the same vuln ID they merge into one statement with both PURLs as subcomponents.

Structs

BuildOptions

Inputs for the document builder. The caller owns config like author and doc_id so the builder stays pure.

Functions

build_document

Build a VEX document from a manifest and a set of applied PURLs.