Add custom Vulnerability serializer and tests

src/main/java/org/cyclonedx/generators/AbstractBomGenerator.java

@@ -16,6 +16,7 @@
 import org.cyclonedx.util.serializer.MetadataSerializer;
 import org.cyclonedx.util.serializer.OutputTypeSerializer;
 import org.cyclonedx.util.serializer.SignatorySerializer;
+import org.cyclonedx.util.serializer.VulnerabilitySerializer;
 
 public abstract class AbstractBomGenerator extends CycloneDxSchema
 {
@@ -69,6 +70,10 @@ protected void setupObjectMapper(boolean isXml) {
     metadataModule.addSerializer(new MetadataSerializer(isXml, getSchemaVersion()));
     mapper.registerModule(metadataModule);
 
+    SimpleModule vulnerabilityModule = new SimpleModule();
+    vulnerabilityModule.addSerializer(new VulnerabilitySerializer(isXml, getSchemaVersion()));
+    mapper.registerModule(vulnerabilityModule);
+
     SimpleModule inputTypeModule = new SimpleModule();
     inputTypeModule.addSerializer(new InputTypeSerializer(isXml));
     mapper.registerModule(inputTypeModule);

src/main/java/org/cyclonedx/model/vulnerability/Vulnerability.java

@@ -23,6 +23,7 @@
 import java.util.List;
 import java.util.Objects;
 
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
@@ -105,11 +106,8 @@ public Vulnerability() {}
   @VersionFilter(org.cyclonedx.Version.VERSION_15)
   private Date rejected;
   private Credits credits;
-  @JacksonXmlElementWrapper(localName = "tools")
-  @JacksonXmlProperty(localName = "tool")
   @Deprecated
   private List<Tool> tools;
-  @JacksonXmlProperty(localName = "tools")
   @VersionFilter(org.cyclonedx.Version.VERSION_15)
   private ToolInformation toolInformation;
   private Analysis analysis;
@@ -272,6 +270,10 @@ public void setCredits(final Credits credits) {
     this.credits = credits;
   }
 
+  @Deprecated
+  @JacksonXmlElementWrapper(localName = "tools")
+  @JacksonXmlProperty(localName = "tool")
+  @JsonIgnore
   public List<Tool> getTools() {
     return tools;
   }
@@ -283,6 +285,7 @@ public void setTools(final List<Tool> tools) {
   @JacksonXmlProperty(localName = "tools")
   @JsonProperty("tools")
   @VersionFilter(org.cyclonedx.Version.VERSION_15)
+  @JsonIgnore
   public ToolInformation getToolChoice() {
     return toolInformation;
   }

src/main/java/org/cyclonedx/util/deserializer/VulnerabilityDeserializer.java

@@ -29,6 +29,7 @@
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ArrayNode;
+import org.apache.commons.lang3.StringUtils;
 import org.cyclonedx.model.OrganizationalContact;
 import org.cyclonedx.model.OrganizationalEntity;
 import org.cyclonedx.model.Property;
@@ -70,23 +71,45 @@ private Vulnerability parseVulnerability(JsonNode node, JsonParser jsonParser, D
     Vulnerability vulnerability = new Vulnerability();
 
     if (node.has("bom-ref")) {
-      vulnerability.setBomRef(node.get("bom-ref").asText());
+      String bomRef = node.get("bom-ref").asText();
+      if (StringUtils.isNotEmpty(bomRef)) {
+        vulnerability.setBomRef(bomRef);
+      }
     }
 
     if (node.has("id")) {
-      vulnerability.setId(node.get("id").asText());
+      String id = node.get("id").asText();
+      if (StringUtils.isNotEmpty(id)) {
+        vulnerability.setId(id);
+      }
     }
 
     if (node.has("description")) {
-      vulnerability.setDescription(node.get("description").asText());
+      String description = node.get("description").asText();
+      if (StringUtils.isNotEmpty(description)) {
+        vulnerability.setDescription(description);
+      }
     }
 
     if (node.has("detail")) {
-      vulnerability.setDetail(node.get("detail").asText());
+      String detail = node.get("detail").asText();
+      if (StringUtils.isNotEmpty(detail)) {
+        vulnerability.setDetail(detail);
+      }
     }
 
     if (node.has("recommendation")) {
-      vulnerability.setRecommendation(node.get("recommendation").asText());
+      String recommendation = node.get("recommendation").asText();
+      if (StringUtils.isNotEmpty(recommendation)) {
+        vulnerability.setRecommendation(recommendation);
+      }
+    }
+
+    if (node.has("workaround")) {
+      String workaround = node.get("workaround").asText();
+      if (StringUtils.isNotEmpty(workaround)) {
+        vulnerability.setWorkaround(workaround);
+      }
     }
 
     if (node.has("source")) {
@@ -223,7 +246,10 @@ private void parseAnalysis(JsonNode analysisNode, Vulnerability vulnerability, O
         analysis.setJustification(mapper.convertValue(analysisNode.get("justification"), Vulnerability.Analysis.Justification.class));
       }
       if (analysisNode.has("detail")) {
-        analysis.setDetail(analysisNode.get("detail").asText());
+        String detail = analysisNode.get("detail").asText();
+        if (StringUtils.isNotEmpty(detail)) {
+          analysis.setDetail(detail);
+        }
       }
       if (analysisNode.has("firstIssued")) {
         analysis.setFirstIssued(TimestampUtils.parseTimestamp(analysisNode.get("firstIssued").textValue()));