Over the last six months or so, I've been using DefectDojo to manage a vulnerability program at work. In order to make it work I've been integrating vulnerability data from various different sources.
In order to facilitate that work I've created and released a defect dojo python library called dojo-truant . It's a partial client that implements several of the api endpoints and does some nice pre-fetching for you to give you a usable chunk of data. It's a "truant" as it's not completely there. Instead it implements just the things that I've found I've needed so far. Feel free to use, but please don't wait to extend.
We've found it useful for:
- Injesting Product/Product Types from an external source of truth
- Adjusting Vulnerablitiy Scoring based on the Product/Product Types (and CVSS3 metrics), especially with the help of Red Hat's cvss module (that will soon support CVSS v4).
- Updating Vulnerability Data as the Upstream Changes
- Vaidating vulnerability data.
- Manually Adjusting SLAs
I hope you find it interesting.