Feature: 1. more complete report in json and cyclonedx-json. 2. error when get sbom from trivy or syft.

[almaz045]

Request Description

1. In this moment like I know depscan can generate reports only in html and json, but this json not complete and don't have all information that exists in html, for example the priority of remediataion, or the known exploited vulnerabilities. I would be nice if we can get report in json format that contain all this information to parse it.
2. I noticed, that some sboms from trivy and syft in their components might miss some keys like 'version' or 'purl'. And if their miss depscan will fail. It's possible to ignore that components?

Additional Information

No response

[prabhu]

For 1, can you check the .vdr.json file. It must have everything that is printed under the vulnerabilities attribute. For 2, can you attach a sample so we can guide towards sending a PR?

[almaz045]

For 2: trivy-sbom.json - this is sbom trivy that give keyerror: 'purl' bom-source-trivy.json - this is sbom trivy that give keyerror: 'version'

depscan --bom bom-source-trivy.json

[prabhu]

@almaz045 Thank you. Would you like to become a contributor? To resolve KeyError in python we have to replace bracket based lookup ["purl"] with .get("purl"). Wrap in an if condition to handle None

[almaz045]

Yes, of course. Should I do same thing for KeyError with 'version'? Or after fixing purl will the problem with key error 'version' also disappear?

[cerrussell]

@almaz045 With both, please. like .get("purl", "") and .get("version", ""). Thank you!

[almaz045]

@prabhu https://github.com/owasp-dep-scan/dep-scan/pull/261 PR :)