make the scan results generic by use a standard json schema for the scanner output

[rafaeltuelho]

It seems the scanner output rendering in this component is tight to the ACS scanner output JSON format.

I see some open-source scanner tools (eg. Trivy) using the SARIF (Static Analysis Results Interchange Format) standard [1] as one of the supported formats for the scanner report. I see ACS (roxctl) also supports this standard. So, it would be beneficial to use SARIF JSON schema to render the output in this UI component as it would make it generic regardless of the scanning tool being used by the pipeline.

[rohitkrai03]

This sounds like a good idea. @karthikjeeyar wdyt?

[karthikjeeyar]

+1, for this tool-agnostic approach. I think we should provide SARIF support as well as the format that we currently support for backwards compatibility.

[karthikjeeyar]

@rafaeltuelho Do you know if the generated SARIF json will be identical in both the tools (Trivy and ACS/roxctl)?

[rafaeltuelho]

Hey all, thanks for considering this idea!
@karthikjeeyar I'm going to perform some tests and update you in this regard.

[rafaeltuelho]

@karthikjeeyar , I performed a quick scan here in my local environment using both CLI tools (roxctl and trivy).

1. ACS roxctl SARIF output: https://gist.github.com/rafaeltuelho/a60ea920b9e3cfec7ca4c7ef877946ff
2. AquaSecurity trivy SARIF output: https://gist.github.com/rafaeltuelho/b9becd37f3bb461a7c25abcf1cbd3baa

So, both output reports use the same SARIF JSON schema, which ensures the same output structure. The CVE descriptions are slightly different because both tools use different CVE databases, which is expected.