Feature Req: Include AV & Published Date in Vuln info

[navzen2000]

Is this a request for help?:

---

Is this a BUG REPORT or a FEATURE REQUEST? (choose one):
FEATURE REQUEST

Version of Anchore Engine and Anchore CLI if applicable:

What happened:

What did you expect to happen:

Any relevant log output from /var/log/anchore:

What docker images are you using:

How to reproduce the issue:

Anything else we need to know:

Currently the json report structure looks like:

"vulnerabilities": [
{
"feed": "vulnerabilities",
"feed_group": "github:java",
"fix": "2.17.1",
"nvd_data": [
{
"cvss_v2": {
"base_score": 6.0,
"exploitability_score": 6.8,
"impact_score": 6.4
},
"cvss_v3": {
"base_score": 6.6,
"exploitability_score": 0.7,
"impact_score": 5.9
},
"id": "CVE-2021-44832"
}
],
"package": "log4j-api-2.17.0",
"package_cpe": "None",
"package_cpe23": "None",
"package_name": "log4j-api",
"package_path": "/path",
"package_type": "java",
"package_version": "2.17.0",
"severity": "Medium",
"url": "https://github.com/advisories/GHSA-8489-44mv-ggj8",
"vendor_data": [],
"vuln": "GHSA-8489-44mv-ggj8",
"will_not_fix": false
},

It will be helpful if below strings can be added from the nvd data

"vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"publishedDate":"2021-12-28T20:15Z

Source:
https://services.nvd.nist.gov/rest/json/cve/1.0/CVE-2021-44832

[navzen2000]

@zhill Please have a look.

[navzen2000]

@zhill @dspalmer99
Quick update: We are able to modify code to extract vectorString in below file
anchore_engine/services/apiext/api/controllers/utils.py

However, we see that the feed information does not contain the publishedDate metadata that can be used while generating the report. Any inputs will help.