Create an API interface that allows users to define other analysers/sources.

[nigellh]

Current Behavior

DT only allows hard coded analysers and vulnerability sources. There is internal, Sonatype, VulnDB, Snyk and Trivy as examples.

At the moment you cannot connect to ones that have not been predefined.

Proposed Behavior

NVD has become a little out of date in that they are stretched to getting vulnerabilities validated etc.

We were looking to access another, but not one of the ones already defined such as Trivy.

It is an internal one to our company and it has an API and returns the following sort of data via an API call.

I was wondering if DT was set up, or could be set up, so that you could create a new vulnerability reporting service.

e.g. the user would have a predefined set of fields that they would need to create for the call and then map the responses back to the 'fields' that DT requires to be able to use it internally.

This could remove the limit of the current hard coded ones. I guess it could then be made to allow this 'framework' to be exported and imported into any other DT instances to use.

Checklist

• [x] I have read and understand the contributing guidelines
• [x] I have checked the existing issues for whether this enhancement was already requested

[nscuro]

I see this as a sub-goal of #4122 (https://github.com/DependencyTrack/vuln-db). Users wishing to integrate internal or otherwise proprietary databases would create custom importers and build their own databases using them.

Mapping of values is unfortunately not straightforward and data may be structured in various different ways across databases. Pagination and sorting will also differ. These things must be handled in actual code, rather than in a WYSIWYG-esque manner.