CycloneDX
Add option to disable Unicode escaping of characters like `&`
When merging SBOMs using the CycloneDX CLI, characters like & are currently encoded as Unicode escape sequences (\u0026) in the resulting JSON output, even though this is not required by the JSON specification.
Problem
Printable characters such as the ampersand (&) are unnecessarily escaped in the generated JSON:
"author": "ACME R\u0026D Team"
This reduces readability and creates noisy diffs in version control, even though these characters are perfectly valid in JSON when unescaped.
Feature Request
Please consider adding a CLI option such as --no-ascii-escape or --preserve-utf8 that outputs characters like & as-is, without escaping them to Unicode:
"author": "ACME R&D Team"
Benefits
- Improves human readability of SBOM files
- Reduces unnecessary changes in version control
- Matches behavior of other JSON serializers like Python's
json.dump(..., ensure_ascii=False)
Version 9.0.2 of the library exposes an option for that. It's called something like 'unsafeRelaxedJsonEscaping'.
In 'cyclonedx-dotnet' I made in a separate output option (there is now 'json' and 'unsafeJson'). That is an alternative to adding a new option.
Thanks for the clarification!
Just to make sure I understand correctly: when you mention “the library”, I assume you're referring to the underlying implementation used by the CycloneDX CLI?
For now, I’ve found that post-processing the merged output with jq restores characters like \u0026 back to &, which works fine as a workaround.
Thanks again for your support!
Hi,
yes, the CycloneDX CLI uses the cyclonedx-dotnet-library under the hood.
Great to hear you found a workaround. I will leave the issue open in case anybody wants to implement this, or I ever find the time to do so.