The API merged ROX-29931 is only meant to "hook the pipes together". The API needs to be reviewed for quality and consistency before we release as GA or without a feature flag.

I borrowed heavily from the image scan data structures, but there was a lot of "cruft" in the protobufs that we may want to clean up. It's also unclear to me if we want to try and share vulnerability and scan protobufs between images, nodes, and virtual machines. It seems like we should, but there may be subtle differences that make it difficult. It also is potentially a divergence from the v1 API (need to double check).

List of TODOs for GA:

• Remove CREATE, UPDATE, and DELETE operations
• Propagate facts between storage and v2 protos
• If notes are going to stay in the storage proto, then they need to be in the v2 proto as well.
• Same for advisory, cvss, vulnerability_types, (suppressed, suppress_activation, suppress_expiry,) first_system_occurrence, first_image_occurrence, state, cvss_metrics, nvd_cvss, operating_system, and epss.
• would convertCVSSV3xxx be a better name for all the CVSSv3 conversion functions in v2tostorage/vulnerability.go and storagetov2/vulnerability.go?