Output a sarif file

[piotr-yuxuan]

Hello, thanks for this great project! I recently tumbled upon sarif files that may be uploaded to GitHub to integrate with their security features. Do you think you might consider adding support on it, or would you consider a PR about that? :-)

https://github.com/microsoft/sarif-tutorials/blob/main/docs/1-Introduction.md

[vemv]

Hi, thanks for the issue! TIL about sarif.

nvd-clojure is based on DependencyCheck, which already supports sarif: https://github.com/jeremylong/DependencyCheck/pull/3083/files

(there may be a better documentation link)

PR welcome for implementing an option that emits a sarif file instead of a html report. A minimal one is OK, I could take it from there.

[piotr-yuxuan]

We all today learnt about sarif ^_^ I've been playing with https://github.com/aquasecurity/trivy-action and it doesn't detect exactly the same Clojure vulnerabilities, which is interesting :-)

[vemv]

PRs most welcome, other than that I'll close the issue since I only keep them open for things that we plan to implement.

[antonmos]

for posterity - turns out that nvd-clojure already outputs a sarif report - by default, it writes out all of the formats supported by DependencyCheck.