Accepting Trivy and Grype vulnerabilities for prioritization

[prabhu]

Why can't dep-scan accept existing vulnerability data in vex and other formats and prioritize it by understanding the application context? The key differentiation aspects of dep-scan are the CVE insights and prioritization based on usage and exploitability.

dep-scan currently happens to generate both SBoM and the vulnerability list. If the --bom argument is provided, dep-scan skips generating the SBoM and moves on to the next step, generating the vulnerability list. A new argument, --vuln-list, could be added to accept a pre-generated list.

[audunmo]

Would really like to able to ingest pre-created SBOMs. Any chance of getting this supported?

Edit: nvm, that is supported!