django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Support for VEX Export

Open italvi opened this issue 3 years ago • 10 comments

Is your feature request related to a problem? Please describe When sharing the mitigation information the generated HTML Report is useful for the management but not useful for having a machine-readable format

Describe the solution you'd like As a supplier of SBOMs I would like to provide a VEX with the SBOM, so customers won't ask for every single component whether we are affected.

Describe alternatives you've considered DependencyTrack is already providing this feature but unfortunately it does not have the capabilities of managing vulnerabilities like DefectDojo, therefore I would prefer to have such a feature in DD.

Question: Is this a planned feature? You are already supporting the import of VEX through CycloneDX 1.4.

italvi avatar Dec 07 '22 09:12 italvi

I had some discussion with @Gby56 about this support. I don't know if somebody is working on it currently.

damiencarol avatar Dec 10 '22 12:12 damiencarol

@damiencarol and what is your opinion on that? Do you also think that this is an useful feature?

italvi avatar Dec 12 '22 14:12 italvi

yes.

damiencarol avatar Dec 12 '22 19:12 damiencarol

I just want to mention a ticket on dependencytrack side: https://github.com/DependencyTrack/dependency-track/issues/1926 its also regarding syncing risk acceptance and other information back to dependencytrack. Would be great to have a feature like this and integrate it into the VEX generated by Dependency-track.

lme-nca avatar Sep 22 '23 12:09 lme-nca

@damiencarol, @mtesauro I just wanted to mention that we will start working on this feature. However, the question would be, whether this complies with your feature-freeze due to the v3 release?

italvi avatar Oct 20 '23 05:10 italvi

Sorry, busy week and just seeing this. Let me as the core contributors and get back to you.

mtesauro avatar Oct 21 '23 02:10 mtesauro

@mtesauro Thanks, will wait for your feedback.

italvi avatar Oct 23 '23 05:10 italvi

Hi @mtesauro, reminder: this issue is still waiting for feedback.

manuel-sommer avatar Jan 21 '24 13:01 manuel-sommer

What is the status on this issue? Honestly might be a huge factor in wether or not my company will adopt defect dojo.

Especially syncing the triage back to Depenedency Track. Wether that is automatic or via VEX import is secondary

Sebastianmueller22 avatar Dec 02 '25 15:12 Sebastianmueller22

There are currently no plans to add SBOM or VEX support. These are more specific SCA functions that are (currently) better handled by specialized systems such as Dependency Track.

Adding a two way sync with Dependency Track would be a large task to undertake and maintain. It's already challenging to keep the two way sync with JIRA working. In Defect Dojo Pro we are using a "connector" based approach where there are modules external to Defect Dojo that implement syncs with other systems.

We could well see a community provided/maintain module that syncs between Dependency Track and Defect Dojo.

Some options that are already usable now:

  • Defect Dojo does have an API that Dependency Track could use to implement a bi-directional sync.
  • Defect Dojo also webhook notifications that could be used to send signals to Dependency Track with updated data or as a trigger to instruct Dependency Track to fetch new data from Defect Dojo.

valentijnscholten avatar Dec 04 '25 16:12 valentijnscholten