Grype Output Schema

[Amndeep7]

What would you like to be added:

A formal schema for the Grype output format.

Why is this needed:

The MITRE Security Automation Framework (https://saf.mitre.org) has made an integration between the Grype output format and our tools and libraries. The primary integration is a converter that can take the Grype output format and normalize it into our Oasis Heimdall Data Format (OHDF).

https://github.com/mitre/heimdall2/blob/master/libs/hdf-converters/src/anchore-grype-mapper.ts
https://github.com/mitre/saf?tab=readme-ov-file#anchore-grype-to-hdf

We have created this integration via empirical testing and reading through the Grype source code; however, we'd like to improve the mapping and make sure that it is comprehensive in scope. In order to do this, we need a schema for the output format.

Additional context:

A sample Grype results file: https://github.com/mitre/heimdall2/blob/master/libs/hdf-converters/sample_jsons/anchore_grype_mapper/sample_input_report/anchore_grype.json

Those same results normalized into OHDF: https://github.com/mitre/heimdall2/blob/master/libs/hdf-converters/sample_jsons/anchore_grype_mapper/anchore-grype-hdf.json

Some screenshots of those results loaded into Heimdall, our security results visualization application: