Context
src/vex.rs is 50 KB and conflates three concerns: OpenVEX 0.2.0 parsing/emission, CycloneDX VEX 1.6 parsing, and the application of statements to bomdrift findings. The two formats have very different shapes and the application logic is independent of either. Splitting will make it easier for contributors to add (e.g.) a new VEX format without touching the application engine.
Scope
Behavior-preserving refactor. Move the file to:
src/vex/
├── mod.rs # public types + entry points: load(), apply(), emit()
├── openvex.rs # OpenVEX 0.2.0 parser + emitter (the canonical shape we emit)
├── cyclonedx_vex.rs # CycloneDX VEX 1.6 parser (consume only)
├── apply.rs # match statements to findings, suppress / annotate
└── synthetic_id.rs # parse_synthetic_id helper + SyntheticFindingKind enum (v0.9.5)
Acceptance criteria
Why this matters
Concretely: a contributor wanting to add (say) SPDX VEX 3.0 support should be able to drop a spdx_vex.rs next to cyclonedx_vex.rs and wire it through mod.rs::load()'s format-detection switch — without scrolling through OpenVEX emit logic to find where parsers register.
A note on commit signing
main requires verified signatures (the repo ships cosign-signed releases — we hold our own commits to the same bar).
You usually don't need to set up signing as a contributor — when a maintainer merges via "Merge" or "Squash", GitHub auto-signs the resulting commit and your unsigned PR-branch commits are fine. The friendlier path for everyone.
If you'd like your individual commits to land verbatim on main (so your name shows up in git blame), set up local signing once and your PR can be rebase-merged:
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true
Then add the same SSH public key under GitHub → Settings → SSH and GPG keys → Signing keys.
See CONTRIBUTING.md → Commit signing on main for the full picture. Either way, please don't sweat it — if your PR is otherwise great, the maintainer will pick a merge mode that works.
Context
src/vex.rsis 50 KB and conflates three concerns: OpenVEX 0.2.0 parsing/emission, CycloneDX VEX 1.6 parsing, and the application of statements to bomdrift findings. The two formats have very different shapes and the application logic is independent of either. Splitting will make it easier for contributors to add (e.g.) a new VEX format without touching the application engine.Scope
Behavior-preserving refactor. Move the file to:
Acceptance criteria
useline updates.bomdrift::vex::parse_synthetic_id, the publicVexStatement/VexStatus/SyntheticFindingKindtypes, theload()/apply()/emit()entry points all unchanged.clippy --all-targets --all-features -- -D warningsclean.cargo fmt --all -- --checkclean.Why this matters
Concretely: a contributor wanting to add (say) SPDX VEX 3.0 support should be able to drop a
spdx_vex.rsnext tocyclonedx_vex.rsand wire it throughmod.rs::load()'s format-detection switch — without scrolling through OpenVEX emit logic to find where parsers register.A note on commit signing
mainrequires verified signatures (the repo ships cosign-signed releases — we hold our own commits to the same bar).You usually don't need to set up signing as a contributor — when a maintainer merges via "Merge" or "Squash", GitHub auto-signs the resulting commit and your unsigned PR-branch commits are fine. The friendlier path for everyone.
If you'd like your individual commits to land verbatim on
main(so your name shows up ingit blame), set up local signing once and your PR can be rebase-merged:Then add the same SSH public key under GitHub → Settings → SSH and GPG keys → Signing keys.
See CONTRIBUTING.md → Commit signing on
mainfor the full picture. Either way, please don't sweat it — if your PR is otherwise great, the maintainer will pick a merge mode that works.