Hi folks,
currently the json output of Grype includes useful metadata missing from the CycloneDX-json format, namely:
- is fix available for the package
- was the match direct or indirect (based on package name or upstream name)
In the json format this can be found in the vulnerability.fix and .matchDetails fileds of a match. In CycloneDX-json format, custom metadata can be added to the properties field (Syft makes use of this to store e.g. syft:package:type).
So I wanna ask how do you feel about adding this metadata to Grype’s CycloneDX-output. The metadata must contain strings only, so structured output could be stringified. I want to hear your thoughts on this change.
I think adding information to help consumers would be valuable. About the specifics: I think the fix version could be inferred from the vulnerable range(s) if we added that, would that work? I realize this might require a bit of parsing, but we also might have multiple fix versions so outputting these would similarly require at least some processing to split a list or collect multiple property entries.
Regarding direct vs indirect, I don’t see a more appropriate spot for this in the CycloneDX model. One of the things I’m interested to understand is what the best representation of the match details is; I’d like to understand why you specifically asked about this property and not other match details?