Enhancement request to support the Common Security Advisory Framework (CSAF) format

[santosomar]

The Common Security Advisory Framework Version 2.0 is now an approved specification in the industry. Details about the specification can be found at: https://csaf.io and https://docs.oasis-open.org/csaf/csaf/v2.0/cs01/csaf-v2.0-cs01.html

CSAF is a language to exchange Security Advisories formulated in JSON. CSAF v2.0 is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties. It also supports "Vulnerability Exploitability eXchange" (VEX) profiles to associate security vulnerability advisories with software bill of materials (SBOMs). The SBOMs can be either in SPDX, CycloneDX, or SWID formats.

This issue is to humbly request the support of CSAF as an option for the output/report of the tool.

[spiffcs]

@santosomar thanks so much for the links and info surrounding CSAF v2.0. Currently, we don't have plans to add this format to grype but welcome a PR for anyone that has some extra cycles 🙏 !