Currently the AbstractBomGenerator and it's implementations use several custom serializers, which are registered in an always new ObjectMapper.
Handling partial serialization of a BOM is not cleanly possible (e.g. serializing a single vulnerability or a list of components), since the ObjectMapper is not exposed and the AbstractBomGenerator signatures do not match. The only way of achieving this, while serializing exactly as this reference implementation is either using reflection hacks or by full on copy pasting the code.
Additionally, the Jackson ObjectMapper isn't a lightweight object. For a simple parse-modify-writeback loop of a cyclonedx document two separate ObjectMappers are created on every such loop, which is fully unnecessary.
Feature request / proposal:
- Decouple ObjectMapper creation and configuration from AbstractBomGenerator and Parser implementations
- Expose the ObjectMapper in a public accessor
- While at it, memorize/cache the ObjectMapper instance per Version, so that a single instance of an ObjectMapper is used for serialization and deserialization
Benefits of the change:
- enables partial serialization of BOMs and cleanly working directly with document parts.
- reduces / stabilizes memory footprint when (de-)serializing multiple documents
- improves performance when (de-)serializing from the second document onward (when the ObjectMapper has been created)
Context of this request:
I'm currently working on a private project (private for now, currently too raw / alpha) which stores and queries CycloneDX. I'm heavily using Postgres JSONB support, and being able to properly work with partial objects is a requirement for me.
Is there interest in a feature like that? I'll build that for myself anyway, but having it integrated in the core lib would be cleaner for me, and might benefit a few other people, so I gladly can make a PR.
Just wanted to ask before dropping a rather big change out of the blue.
Currently the AbstractBomGenerator and it's implementations use several custom serializers, which are registered in an always new ObjectMapper.
Handling partial serialization of a BOM is not cleanly possible (e.g. serializing a single vulnerability or a list of components), since the ObjectMapper is not exposed and the AbstractBomGenerator signatures do not match. The only way of achieving this, while serializing exactly as this reference implementation is either using reflection hacks or by full on copy pasting the code.
Additionally, the Jackson ObjectMapper isn't a lightweight object. For a simple parse-modify-writeback loop of a cyclonedx document two separate ObjectMappers are created on every such loop, which is fully unnecessary.
Feature request / proposal:
Benefits of the change:
Context of this request:
I'm currently working on a private project (private for now, currently too raw / alpha) which stores and queries CycloneDX. I'm heavily using Postgres JSONB support, and being able to properly work with partial objects is a requirement for me.
Is there interest in a feature like that? I'll build that for myself anyway, but having it integrated in the core lib would be cleaner for me, and might benefit a few other people, so I gladly can make a PR.
Just wanted to ask before dropping a rather big change out of the blue.