add createdAt or updatedAt for vulnerabilities scheme

[tomerse-sg]

What would you like to be added:
vulnerabilities from NVD and GHSA contains sometimes modification and creation time.
is it possible to add it into the scheme of grype?

Why is this needed:
full information on CVEs \ GHSA\s
Additional context:

[willmurphyscode]

Thanks for the suggestion @tomerse-sg! I've added this to the "schema version 6 wish list" over at anchore/grype-db#108. Bumping the schema of the database grype uses is a bit of a heavy lift right now, but we're looking at ways to make it easier, and discussing what should be included in the next version (hence the "version 6 wish list").

I've you like to be part of the discussion, feel free to join the community meeting at https://github.com/anchore/grype/#join-our-community-meetings, or ping us on Slack (I think you're already in the slack).

[tomerse-sg]

hi, from your experience, what is the approximate estimation time for the schema version 6 wish list?

[willmurphyscode]

Hi @tomerse-sg,

Sorry, but we don't have a time estimate right now for the v6 schema wish list, or even know exactly what the final implementation will look like. If you're interested in working with us on it, please let us know!

[tomersein]

it can be useful. make the DB stateful. will it be added to the v6 db plan? @willmurphyscode

[willmurphyscode]

@tomerse-sg yes, this will be in grype db schema v6 for providers that we can easily get the data from.

[wagoodman]

For NVD and GHSA this will be in the DB v6 work, which is in progress now. I expect PRs that implement this to land soon, but we won't switch to using the v6 schema for probably another 2 months (+/- a margin).

[tomersein]

great news! @wagoodman
however, this schema will make the DB to be "half stated", meaning some of the vulnerabilities will have updated timestamp field, and the other will not have.
moreover, since there are plans to remove grype db diff, I wonder if any other solution will be provided to monitor modified vulnerabilities in the DB? @wagoodman (since other sources like ubuntu, debian, rpm, etc. doesn't report on modifications).

[wagoodman]

We'll be plumbing through the upstream data sources that do support these fields (this work will be tracked here #2259 ) which will be closely related to #2129. If we cannot reliably plumb date information then we will need to refigure a plan for DB diff.

[tomersein]

great! @wagoodman
please consider not to deprecate the grype db diff (I saw it was moved to 'legacy' folder) before we have a state for vulnerabilities :)