8 unstable releases (3 breaking)
new 0.4.3 | Apr 30, 2025 |
---|---|
0.4.2 | Apr 30, 2025 |
0.3.0 | Apr 23, 2025 |
0.2.1 | Apr 23, 2025 |
0.1.0 | Apr 22, 2025 |
#513 in Parser implementations
730 downloads per month
35KB
483 lines
CycloneDX (VEX) to PDF Converter
A command-line tool to convert CycloneDX VEX (Vulnerability Exploitability eXchange) documents in JSON format to PDF reports.
⚠️ Font Requirement
This application requires Liberation Sans fonts to properly render PDF documents.
The Liberation Sans fonts are NOT included in this repository due to licensing considerations. To set up the required fonts:
- Download the Liberation Sans TTF fonts from the official repository
- Create a directory in the project root:
fonts/liberation-fonts
- Place the following TTF files in that directory:
- LiberationSans-Regular.ttf
- LiberationSans-Bold.ttf
- LiberationSans-Italic.ttf
- LiberationSans-BoldItalic.ttf
Alternative options:
- On Linux systems, if the fonts are installed system-wide (typically in
/usr/share/fonts/liberation-sans
), the application will attempt to use them. - Set the font path through an environment variable (not implemented yet).
Note: The Liberation Fonts are licensed under the SIL Open Font License, not MIT. Please respect their license terms when using them.
Overview
VEX-to-PDF is a Rust application that scans the current directory for CycloneDX VEX JSON files and converts them to human-readable PDF reports. It fully supports the CycloneDX VEX schema version 1.5 and provides compatibility for version 1.6 documents that only use 1.5 fields. Documents using 1.6-specific fields may not process correctly. The tool handles various elements of the VEX documentation format including vulnerabilities, components, metadata, and more.
Features
-
Automatically scans directories for JSON files with VEX data
-
Converts VEX documents to structured PDF reports
-
Preserves all key VEX information including:
- Document metadata and timestamps
- Vulnerability details with severity ratings
- Component information
- Tools used to generate the VEX document
-
Cross-platform support (Linux, Windows)
Installation
Prerequisites
- Rust and Cargo (latest stable version)
- Liberation Sans fonts (must be obtained separately as described above)
From Source
Clone the repository, download and place Liberation fonts as described in the Font Requirement section, then build the application with . The binary will be available at target/release/vex2pdf. cargo build --release
Windows Users
Windows users can either:
- Build using Rust for Windows
- Use a pre-built binary (when available)
Usage
Run the application in a directory containing CycloneDX VEX JSON files:
./vex2pdf
The tool will:
- Scan the current directory for JSON files
- Attempt to parse each file as a CycloneDX VEX document
- Generate a PDF report with the same name as the original file (with .pdf extension)
- Display progress and results in the console
Example
$ ./vex2pdf
Scanning for JSON files in: /home/user/vex-documents
Found 3 JSON files
Processing: sample_vex.json
Generating PDF: sample_vex.pdf
Successfully generated PDF: sample_vex.pdf
Processing: second-sample.json
Generating PDF: second-sample.pdf
Successfully generated PDF: UTF-8VEX.pdf
Configuration
No configuration is currently required. The application will:
- Look for Liberation Sans fonts in
/usr/share/fonts/liberation-fonts
- Fall back to the included directory
./fonts/liberation-fonts
Documentation
Note: Rust documentation is a work in progress. Please refer to the code comments for details on specific functions and data structures.
To generate documentation:
cargo doc --open
CycloneDX VEX Format
This tool fully supports CycloneDX VEX schema version 1.5 and provides compatibility for version 1.6 documents that only use 1.5 fields. Documents using 1.6-specific fields may not process correctly. For more information about the CycloneDX VEX format, see:
Version 1.6 Compatibility Mode
This tool implements a special compatibility mode for CycloneDX 1.6 documents:
- When the tool encounters a document with
specVersion: "1.6"
, it will:- Display a notification about downgrading to 1.5
- Automatically modify the document's spec version to "1.5"
- Attempt to process it using the 1.5 schema parser
This compatibility approach works well for documents that don't use 1.6-specific fields but allows the tool to process newer documents without requiring users to manually modify them.
Limitations:
- Documents that use 1.6-specific fields or structures may fail during processing
- No validation is performed for 1.6-specific features
- This is a temporary solution until full 1.6 support is implemented in the underlying cyclonedx-bom library
When processing 1.6 documents, you'll see console messages indicating the compatibility mode is active.
Security Considerations
- The application reads and processes files from the current directory
- No network connections are established
- Input validation is performed on all JSON files
- Font paths are validated before use
License
This project is licensed under the MIT License - see the LICENSE.md file for details. The Liberation Fonts used by this application are licensed under the SIL Open Font License and must be obtained separately.
Acknowledgments
- CycloneDX for the VEX specification
- cyclonedx-bom for CycloneDX parsing
- genpdf for PDF generation
- serde_json for JSON processing
- Liberation Fonts for the PDF rendering fonts
Dependencies
~28MB
~300K SLoC