Grype Output Schema

[Amndeep7]

What would you like to be added:

A formal schema for the Grype output format.

Why is this needed:

The MITRE Security Automation Framework (https://saf.mitre.org) has made an integration between the Grype output format and our tools and libraries. The primary integration is a converter that can take the Grype output format and normalize it into our Oasis Heimdall Data Format (OHDF).

https://github.com/mitre/heimdall2/blob/master/libs/hdf-converters/src/anchore-grype-mapper.ts https://github.com/mitre/saf?tab=readme-ov-file#anchore-grype-to-hdf

We have created this integration via empirical testing and reading through the Grype source code; however, we'd like to improve the mapping and make sure that it is comprehensive in scope. In order to do this, we need a schema for the output format.

Additional context:

A sample Grype results file: https://github.com/mitre/heimdall2/blob/master/libs/hdf-converters/sample_jsons/anchore_grype_mapper/sample_input_report/anchore_grype.json

Those same results normalized into OHDF: https://github.com/mitre/heimdall2/blob/master/libs/hdf-converters/sample_jsons/anchore_grype_mapper/anchore-grype-hdf.json

Some screenshots of those results loaded into Heimdall, our security results visualization application:

[wagoodman]

agreed -- we should capture a JSON schema in the same way we do in syft. Specifically we should start adding automation on generating the schema from go structs, detect when the schema is changing on each PR, and closely control the package metadata struct names.