Sunsetting VendorVectors

[simar7]

Hi everyone!

tl;dr: VendorVectors will be deprecated and removed from the scan output going forwards. Please use CVSS in the future.

We're planning to sunset (deprecate) VendorVectors from Trivy output going forwards. VendorVectors was introduced as a first implementation to provide various CVSS vectors for different vendors. This has been superseded by CVSS which includes all the information that VendorVectors provided and more (Vendor Scores).

The PR to get this change is here aquasecurity/trivy-db#71

Existing versions will remain unaffected. Once the above PR is merged and a new release is made, upon upgrading Trivy you will see this change in action. We'll keep a 14 day window before we merge the above PR in for any discussion or questions the community may have.

If you have any concerns or need help, please let us know. We'd be happy to help and answer any questions you may have.

– Trivy Team

[knqyf263]

I'm sorry for the delay in checking the announcement as I was a week off.

Existing versions will remain unaffected. Once the above PR is merged and a new release is made, upon upgrading Trivy you will see this change in action.

Existing versions will be also affected since the vulnerability database is updated. The DB will not contain VendorVectors anymore immediately after the PR is merged. VendorVectors was introduced at v0.8.0, so all versions from v0.8.0 are affected even if you don't upgrade Trivy.

[simar7]

With this PR being merged aquasecurity/trivy-db#71 this change is now completed.