Crate vex2pdf 

vex2pdf - CycloneDX to PDF Converter

A Rust library for converting CycloneDX VEX/VDR/SBOM documents (JSON and XML formats) to professional PDF reports with embedded fonts, color-coded vulnerability analysis, and concurrent processing support.

CycloneDX Compatibility

This library fully supports CycloneDX schema version 1.5 and provides compatibility for version 1.6 documents that only use 1.5 fields. Documents using 1.6-specific fields may not process correctly.

Quick Start

use vex2pdf::lib_utils::config::Config;
use vex2pdf::run;

let config = Config::default()
    .working_path("./input")
    .output_dir("./output")
    .max_jobs(Some(4));

run(config).expect("Failed to process files");

Configuration

Configuration is managed through the Config struct using the builder pattern for flexibility.

Builder Pattern (Recommended)

Use method chaining to configure exactly what you need:

use vex2pdf::lib_utils::config::Config;

let config = Config::default()
    .working_path("./input")
    .output_dir("./output")
    .max_jobs(Some(4))
    .report_title("Q4 2024 Security Report")
    .show_components(true);

Available Builder Methods

• working_path() - Set input directory
• output_dir() - Set output directory
• max_jobs() - Control concurrent processing
• report_title() - Custom report title
• pdf_meta_name() - Custom PDF metadata
• show_novulns_msg() - Show/hide “no vulnerabilities” message
• show_components() - Show/hide components list
• pure_bom_novulns() - Treat as pure BOM
• And more…

See Config documentation for the complete list.

For CLI Applications

CLI applications should use Config::build_from_env_cli() to parse command-line arguments and environment variables.

For detailed CLI documentation:

• Configuration Guide
• Environment Variables Reference

Features

• Multi-format support: JSON and XML CycloneDX documents
• Document types: VEX, VDR, and SBOM/BOM
• Vulnerability analysis rendering: Color-coded states (Exploitable, Resolved, In Triage, etc.) and response actions
• Optional concurrent processing: Feature flag enables threadpool with configurable job limits (single-threaded to max parallelism)
• Embedded fonts: Liberation Sans fonts built-in, no external dependencies
• Structured logging: Info/debug to stdout, warnings/errors to stderr
• Memory safe: Unsafe code forbidden at compile-time
• CLI and library: Use as standalone tool or integrate into your application
• Flexible feature flags: Choose exactly the dependencies you need (cli, concurrency, or both)

Documentation

• README - Installation instructions, CLI usage, environment variables, and configuration
• Developer Notes - Testing, code coverage, architecture details, and trait system
• API Documentation - Full API reference on docs.rs
• Changelog - Version history and release notes

Library Architecture

The library is organized into modules:

• pdf: PDF generation functionality
  • font_config: Embedded font management
  • generator: PDF document generation with analysis rendering
• lib_utils: Configuration, CLI arguments, environment variables, and utility functions
• files_proc: File discovery, processing pipeline, and trait system
  • processor: Main processing logic with trait abstractions (uses optional concurrency)
  • model: File identification and processing state

Concurrency: When the concurrency feature is enabled (default), the library uses jlizard-simple-threadpool for concurrent file processing. Without this feature, files are processed sequentially in the main thread.

Re-exports

pub use crate::lib_utils::run_utils as utils;

pub use cyclonedx_bom;

Modules

files_proc

lib_utils

pdf

Functions

run

Processes CycloneDX VEX documents according to the provided configuration.

show_full_licenses

Helper to show OSS License information