Open woodsonmiles opened 2 years ago
Would be very nice to have Grype reports integrated into Sonarqube.
@woodsonmiles thanks so much for filing the issue - we're currently working on updating the quality of grype's matching so don't have too much time for new standards to be added, but if you are willing to contribute a patch I would have time to work on it with you in some way and make sure your PR is reviewed and made working for the main branch.
I'd like to give this a try. If there's no objections and I don't get stuck (fingers crossed!), will put up a draft PR on the heimdall repository.
What would you like to be added: Converter from Grype to MITRE's Heimdall Data Format (HDF). MITRE Security Automation Framework (SAF) has a well-defined process for building converters. Likely, the best way to integrate would be to build a grype-to-heimdall file converter as a pull request in the MITRE SAF repo. This may be out of scope for you guys, but I thought I would at least bring it to your attention.
Please see the feature request for this in the MITRE SAF project.
Why is this needed: One major barrier to security automation is having multiple security tools that do not use a common format for representing security data. MITRE SAF uses HDF as a common format to represent normalized security data. It currently integrates with many popular tools such as Trivy, Tennable Nessus, Burp Suite, SonarQube, and Fortify. HDF files can be visualized in the Heimdall tool.