The Findings Format is used e.g. to export data to other Applications like DefectDojo, however some necessary and/or useful information is not included in the Findings.

Therefore we will collect a List of possible Improvements here. We are happy about any suggestions by the community.

Release 4.0 Scope

• Add Timestamp of when a Finding was identified (called identified_at), it should be optional as we do not always have this exact information. Added optional identified at parameter to findings #1434

• Add Timestamp of when a Finding was parsed (called parsed_at) as a fallback when identified_at is not present. Will be solved by Added Timestamps to Findings JSON File #492

• Add additional JSON attributes, that give information about how a Finding was identified ("evidence", "steps_to_reproduce"?) or what impact it has ("impact"?), see ⚙️ Add a generic (SCB) finding importer to the DefectDojo Integration Hook #332 (comment) @secureCodeBox/contributer-team do we have any data available to do this?

• Add optional JSON attribute "mitigation" for solutions how the vulnerability might be fixed, can be populated i.e. by "zap_solution" in zap Added optional mitigation attribute to findings #1639

• Make severity, category and name required breaking => update findings format check

• Add optional JSON attribute "cve" for CVEas present i.e. in trivy Added references attribute to findings #1676

• Add optional JSON attribute "cwe" for CWE as present i.e. in ZAP Added references attribute to findings #1676

• Add optional JSON attribute "notes"/"other"/"additional_info" for other important information text that clarifies the vulnerability.

Additional Ideas for further development

• Add optional JSON attribute "vulnerability_id_from_tool" for ids of vulnerabilities assigned by the specific scanners

@secureCodeBox/contributer-team please share any ideas you have in the comments.