From ffffbc717ef34f84a585a8977f28ced90695e256 Mon Sep 17 00:00:00 2001
From: hectorj2f <hector@chainguard.dev>
Date: Sun, 13 Oct 2024 22:11:59 +0200
Subject: [PATCH] propose new changes to the specification and rename to vulns

Signed-off-by: hectorj2f <hector@chainguard.dev>
---
 spec/predicates/README.md |  2 +-
 spec/predicates/vulns.md  | 21 +++++++++++----------
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/spec/predicates/README.md b/spec/predicates/README.md
index 237c9d21..6695611b 100644
--- a/spec/predicates/README.md
+++ b/spec/predicates/README.md
@@ -34,7 +34,7 @@ our [vetting process], and may be of general interest:
 [Release]: release.md
 [Runtime Traces]: runtime-trace.md
 [SCAI Report]: scai.md
-[Vulnerability]: vuln.md
+[Vulnerability]: vulns.md
 [SLSA Provenance]: https://slsa.dev/provenance
 [SLSA Verification Summary]: vsa.md
 [SPDX]: spdx.md
diff --git a/spec/predicates/vulns.md b/spec/predicates/vulns.md
index 9b24bb04..e2855248 100644
--- a/spec/predicates/vulns.md
+++ b/spec/predicates/vulns.md
@@ -68,33 +68,29 @@ The `predicate` contains a JSON-encoded data with the following fields:
 
 > > > The timestamp of when the vulnerability DB was updated last time.
 
-**scanner.result, required** list
+**scanner.result, required** object list
 
 > > The result contains a list of vulnerabilities. Note that an empty list means the **scanner** found no vulnerabilities.
 > > This is the most important part of this field because it'll store the scan result as a whole. So, people might want
 > > to use this field to take decisions based on them by making use of Policy Engines tooling whether allow or deny these images.
 
-**scanner.result.[*].vulnerability, optional** object
-
-> > > The vulnerability object defines information about each one of the vulnerabilities found by the scanner.
-
-**scanner.result.[*].vulnerability.id, required** string
+**scanner.result.[*].id, required** string
 
 > > > > This is the identifier of the vulnerability, e.g. [GHSA-fxph-q3j8-mv87](https://github.com/advisories/GHSA-fxph-q3j8-mv87) whose CVE id is [CVE-2017-5645](https://nvd.nist.gov/vuln/detail/CVE-2017-5645).
 
-**scanner.result.[*].vulnerability.severity, required** object
+**scanner.result.[*].severity, required** object
 
 > > > > The severity contains a list to describe the severity of a vulnerability using one or more quantitative scoring method.
 
-**scanner.result.[*].vulnerability.severity.method, required** string
+**scanner.result.[*].severity.method, required** string
 
 > > > > > The method describes the quantitative method used to calculate the associated severity score such as nvd, cvss and others.
 
-**scanner.result.[*].vulnerability.severity.score, required** string
+**scanner.result.[*].severity.score, required** string
 
 > > > > > This is a string representing the severity score based on the selected method.
 
-**scanner.result.[*].vulnerability.annotations, optional** list, map <string, value>
+**scanner.result.[*].annotations, optional** list, map <string, value>
 
 > > > > > This is a list of key/value pairs where scanners can add additional custom information.
 
@@ -158,3 +154,8 @@ The `predicate` contains a JSON-encoded data with the following fields:
 Not applicable for this initial version.
 
 [Attestation]: ../README.md
+
+
+2024-10-11:
+- @lumjjb Remove ambiguity from the result object which included a redundant object 'vulnerability'.
+- Add missing type to annotations
\ No newline at end of file