Support for respecting Analysis state

[s0ar]

Feature request: When the VEX or VDR contains an analysis state it would be great to respect that in the visualization.

The spec: https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_analysis contains the state property to declare the occurrence of a vulnerability.

Thus in the summary, components and vulnerabilities table this should be respected maybe toggled to include them based on their state. Don't show "not_affected", "false_positive", "resolved".

[lucacapacci]

nice idea! Do you already have an example of a real world file with this kind of information?

[s0ar]

Yes, here i have an example of a VEX export from DependencyTrack of a spring boot app.

vex_export.json

it contains three suppressed issues with state: not_affected and one of that has an optional comment shown in the detail json tag.

"analysis" : {
"state" : "not_affected",
"detail" : "not using SendQueueMessageJob"
},