Include Vendor Advisory Date

[Hacks4Snacks]

Description

Description:
There are some vendors (such as Azure Linux) that provide “advisory date” metadata in their vulnerability datasets. Exposing this data in Trivy’s vulnerability reports would be highly beneficial for users.

Justification:
The “advisory date” indicates when a vulnerability advisory was first published for a given vendor instead of NVD CVE publication. This information is crucial for several reasons:

• SLA Drivers: Helps in tracking the timelines for vulnerability resolution and ensures compliance with SLAs.
• Prioritization: Allows security teams to prioritize vulnerabilities based on the advisory date, focusing first on older advisories that might have higher exploitation risks.
• Historical Analysis: Facilitates historical analysis of vulnerabilities to identify trends and improve future vulnerability management processes.

Impact on Existing Workflows:
Integrating the “advisory date” into the existing outputs should be seamless, requiring minimal changes to current workflows. Users can leverage this additional data point without significant alterations to their existing vulnerability management processes.

Target

None

Scanner

Vulnerability

[knqyf263]

Thanks for your idea. Please let us see how much the community needs this feature.

To the community: Please leave a comment or reaction.