Add an other Aqua scan format

[kzzz1]

When I run GET api/v2/risks/vulnerabilities in Aqua Security, I get a scan report listing vulnerabilities in my image, but the report generated is not supported for parsing in DefectDojo. Is it possible to add that new format report?

Sample file

api.json

[valentijnscholten]

Can you point us to the documentation of this format? Is there an official name for this type of report? Are you able to contribute a PR?

[kzzz1]

Here is the doc of the api/v2/risks/vulnerabilities endpoint:

api/v2/risks/vulnerabilities

The command list all vulnerabilities found in images

[kzzz1]

I could try a PR

[valentijnscholten]

Thanks. I cannot access that documentation as I don't have an aquasec account. PRs are welcome. Just want to make sure this is a common use case to generated these reports/exports and not just an API endpoint that is being called and not used by many users.
I noticed the exsiting aqua parser in Defect Dojo has no documentation at all. It looks like it is for Aquasec DevOps reports?

[kzzz1]

From what I know, the actual aqua formats covered by the parser are CICD reports and also scan results from a call to
GET /api/v1/scanner/registry/Docker%20Hub/image/mongo:latest/scan_result (like many_v2.json .... I know the file name is confusing)

That report generated over the api/v1 doesnt include de cvssv3 score, resulting in discording aqua severity when I import the scan in Defect Dojo vs what I see in the Aqua UI... I contacted Aqua Support and they told me to use the api/v2/risks/vulnerabilities endpoint instead. Saying that the other one was probably getting obsolete.

[valentijnscholten]

OK, might be a good idea with the PR to update also the docs for the existing parser.

[manuel-sommer]

Can we close this?