Today, I worked on exporting issue reports in DefectDojo Generic Findings format and SARIF.
Even though the POC worked as expected, what I experienced there made me rethink the priority for these items. Both formats are surprisingly complex and confusing, and I think they are doing the opposite of what this project (TSP) is trying to achieve, which is simplicity… With dozens of fields for each issue, I don’t think it’ll be easy for any downstream consumer, whether a machine or a human, to consume and process that complex data. The previous experience with SonarQube was much more productive.
So I am leaving this work finished only at the basic functionality state, i.e., I got DefectDojo export working, but I am dropping any work on SARIF support for now and instead prioritizing the research on what would be the meaningful downstream consumers of the TSP automated issue reports, before spending more time on additional export formats. But, of course, this decision is not final, and customers will be able to request this feature in the future.