I checked everywhere the govulncheck outputs Newline-Delimited JSON (NDJSON) — a stream of independent JSON objects, each on its own, separated by newlines. The objects come in this sequence:
{ "config": ... } ← scanner metadata, one per run
{ "SBOM": ... } ← all modules in go.mod with versions
{ "progress": ... } ← status messages (can appear multiple times)
{ "osv": ... } ← one per vulnerability CHECKED (entire vuln DB scan)
{ "osv": ... } ← ...repeated for every CVE govulncheck evaluated
{ "osv": ... }
{ "progress": ... }
{ "finding": ... } ← ONE per actual vulnerability found in YOUR code
{ "finding": ... } ← (can have multiple findings per OSV if multiple call sites)
But the Defect Dojo requires a regular JSON which is why Defect Dojo fails to import govulncheck report.
