Support Grafeas API

[joergsesterhenn]

Grafeas is an attempt to consolidate findings of many sources in a common standard format. https://cloud.google.com/blog/products/gcp/introducing-grafeas-open-source-api- https://grafeas.io/

Current Behavior:

Findings can only be handled within dependencytrack.

Proposed Behavior:

Provide an API that supports using dependency-track findings together with findings from other sources in a standard way like grafeas.

[stevespringett]

Dependency-Track has a findings API which does this. All APIs have swagger docs.

The findings API is a subset of what's documented here: https://docs.dependencytrack.org/integrations/file-formats/

This only provides vulnerability data however. It does not provide insight into other types of risk. There are other APIs that do that.

You'll find that Dependency-Track has more API capabilities than what's exposed in the UI. So whatever you can do in the UI, you can do in via REST and then some.

[stevespringett]

Provide an API that supports using dependency-track findings together with findings from other sources in a standard way like grafeas.

This statement can be interpreted in a few ways. There are no plans to add ingestion of findings from other tools into Dependency-Track. We previously did that with Dependency-Check, but the results were less than ideal. That functionality was removed. There are also plenty of open source and commercial tools which perform vulnerability aggregation, normalization, and deduplication. Dependency-Track already integrates with several of them.

Dependency-Track itself has an API-first design. The data in Dependency-Track is designed to be easily accessible from other systems.