Generic JSON
There is already a generic importer for CSV data, but it only supports a small subset of Finding attributes. A generic JSON parser can easily support all relevant attributes from the Finding class. Such a generic JSON importer would allow scanners/exporters that support arbitrary JSON output to add support for DefectDojo, rather than adding a scanner-specific importer to DefectDojo.
Sample use case
DefectDojo provides a Fortify importer based on Fortify XML reports, however this approach has various drawbacks. A more modern and much more flexible approach for exporting Fortify vulnerability data is provided by FortifyVulnerabilityExporter.
Based on this utility, we can already set up an integration between Fortify and DefectDojo using a mutually supported format like GitLab SAST or SARIF reports. However it would be even better to have FortifyVulnerabilityExporter export vulnerability data to a dedicated DefectDojo JSON format. This would allow for more flexibility, and could support non-SAST (DAST, ...) vulnerability data to be exported to DefectDojo.
Generic JSON There is already a generic importer for CSV data, but it only supports a small subset of Finding attributes. A generic JSON parser can easily support all relevant attributes from the Finding class. Such a generic JSON importer would allow scanners/exporters that support arbitrary JSON output to add support for DefectDojo, rather than adding a scanner-specific importer to DefectDojo.
Sample use case DefectDojo provides a Fortify importer based on Fortify XML reports, however this approach has various drawbacks. A more modern and much more flexible approach for exporting Fortify vulnerability data is provided by FortifyVulnerabilityExporter.
Based on this utility, we can already set up an integration between Fortify and DefectDojo using a mutually supported format like GitLab SAST or SARIF reports. However it would be even better to have FortifyVulnerabilityExporter export vulnerability data to a dedicated DefectDojo JSON format. This would allow for more flexibility, and could support non-SAST (DAST, ...) vulnerability data to be exported to DefectDojo.
Related issue / depends on: https://github.com/DefectDojo/django-DefectDojo/issues/3797
Sample File