Bring back PyUp Safety Importer

[matamorphosis]

Safety PyUp safety appears to have been handled by DefectDojo at one point in time. Refer to Issue 1754.

Not sure why this was removed, as with our current implementation I have to convert the report to another format, like GitLab SAST to be able to import it into DefectDojo.

[Jwomers]

@matamorphosis thanks for surfacing this. We are currently trying to work with the DefectDojo team to re-implement this. Our new Safety v2.0 scanner has a new JSON output format which requires a new importer. You can read more about Safety 2.0 here: https://docs.pyup.io/docs/getting-started-with-safety-cli

In the meantime, we at PyUp are working on additional standardized output formats for Safety, such as CycloneDX and SPDX formats that you could then import into DefectDojo.

[StefanFl]

The company PyUp demanded to remove the parser due to licensing issues. @damiencarol, haven't there been some more communications recently?

[matamorphosis]

Thanks for the context @StefanFl and the prompt response from @Jwomers. I am familiar with CycloneDX as part of using CDX tools for generating SBOMs + DependencyTrack to fulfil regulatory requirements as part of the same project that was the cause of me raising this issue.

It's interesting to know that more tools are adopting CycloneDX as a format, this would be preferable to using custom-built scripts to convert Safety reports to another supported format.

[damiencarol]

@matamorphosis there are discussions to see if we can add support for Safety 2.0 JSON format. I advise switching to SARIF or CycloneDX >1.4 formats if the tool support it. As @StefanFl said, the company PyUp asked to remove the parser explicitly, so we are waiting for the result of the new discussion.

[manuel-sommer]

Is there an update or shall we close this issue?

@mtesauro fyi

[mtesauro]

It's been long enough that it's better to have someone open a new issue rather then keep this one open. Closing.