From 91b6b3416e1a86fb8bccb3189f76f950cbd93e2c Mon Sep 17 00:00:00 2001 From: Tushar Goel <34160672+TG1999@users.noreply.github.com> Date: Fri, 16 Jan 2026 22:55:33 +0530 Subject: [PATCH 1/2] Add VCIO migration announcement blog post Signed-off-by: Tushar Goel Signed-off-by: Tushar Goel <34160672+TG1999@users.noreply.github.com> --- .../vcio-migration-announcement-aboutcode.md | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 website/blog/vcio-migration-announcement-aboutcode/vcio-migration-announcement-aboutcode.md diff --git a/website/blog/vcio-migration-announcement-aboutcode/vcio-migration-announcement-aboutcode.md b/website/blog/vcio-migration-announcement-aboutcode/vcio-migration-announcement-aboutcode.md new file mode 100644 index 0000000..880fc9a --- /dev/null +++ b/website/blog/vcio-migration-announcement-aboutcode/vcio-migration-announcement-aboutcode.md @@ -0,0 +1,51 @@ +--- +slug: vcio-migration-announcement-aboutcode +title: VulnerableCode API Deprecation and V3 Introduction +authors: [tg1999] +tags: [vcio, vulnerabilities, advisories, purl, api] +hide_table_of_contents: false +--- + +# VulnerableCode API Deprecation and V3 Introduction + +VulnerableCode (public.vulnerablecode.io) is planning to deprecate V1 and V2 API by the end of Q2 2026 (June 20, 2026) with the V3 API and UI to be introduced by the end of January 2026. + +--- + +## Why this new API + +The existing V1 and V2 APIs are both based on the “vulnerabilities” model, designed to aggregate information from multiple advisory sources based on identifiers and aliases. Due to the combination of various sources, it is difficult to determine which source is correct and this may result in data from one source overwriting data from another source. + +--- + +## What to expect from this new API and UI + +Moving forward, VulnerableCode will report “advisories” for packages and not “vulnerabilities”. + +Currently if a package has 4 advisories and those 4 advisories were correlated with each other by their aliases and identifiers, we report a single vulnerability affecting that package. The new approach in V3 will report 4 individual advisories. + +The new “advisories” model introduces an Advisory ID (AVID) for each advisory in VulnerableCode. An AVID will have different components like the source and the natural unique identifier used at that source. So for example if we are importing an advisory from “nodejs_security_wg” and it’s identified by its ID “123”, the AVID will be “nodejs_security_wg/123”. + +--- + +## Plan and Timeline + +We are planning to complete the following tasks by the end of January 2026: + +- Redesigning the API and UI +- Migrating our existing data sources +- Documenting the V3 API and the new UI + +--- + +## Current Status + +https://public2.vulnerablecode.io/v2 uses the new advisory based UI and +https://public2.vulnerablecode.io/api/v3/ uses new API, but it is still under development and not ready for production use. + +--- + +## Migration Progress + +You can track the progress of migration here: +https://github.com/orgs/aboutcode-org/projects/52/views/48 From d1f13a05e10e0e606c36e66af3483bf7dae344bf Mon Sep 17 00:00:00 2001 From: Michael Herzog Date: Fri, 16 Jan 2026 14:57:15 -0800 Subject: [PATCH 2/2] Update vcio-migration-announcement-aboutcode.md General edits: - Identify "we" as the AboutCode team - Shorter sentences with active voice - Avoid dependent clauses to start sentences - Remove unnecessary adverbs Signed-off-by: Michael Herzog --- .../vcio-migration-announcement-aboutcode.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/website/blog/vcio-migration-announcement-aboutcode/vcio-migration-announcement-aboutcode.md b/website/blog/vcio-migration-announcement-aboutcode/vcio-migration-announcement-aboutcode.md index 880fc9a..9893f23 100644 --- a/website/blog/vcio-migration-announcement-aboutcode/vcio-migration-announcement-aboutcode.md +++ b/website/blog/vcio-migration-announcement-aboutcode/vcio-migration-announcement-aboutcode.md @@ -8,23 +8,23 @@ hide_table_of_contents: false # VulnerableCode API Deprecation and V3 Introduction -VulnerableCode (public.vulnerablecode.io) is planning to deprecate V1 and V2 API by the end of Q2 2026 (June 20, 2026) with the V3 API and UI to be introduced by the end of January 2026. +The AboutCode team is planning to deprecate the V1 and V2 API of VulnerableCode (public.vulnerablecode.io) by the end of Q2 2026 (June 20, 2026). We are introducing V3 API and UI by the end of January 2026. --- ## Why this new API -The existing V1 and V2 APIs are both based on the “vulnerabilities” model, designed to aggregate information from multiple advisory sources based on identifiers and aliases. Due to the combination of various sources, it is difficult to determine which source is correct and this may result in data from one source overwriting data from another source. +The existing V1 and V2 APIs are both based on the “vulnerabilities” model, designed to aggregate information from multiple advisory sources based on identifiers and aliases. With the "vulnerabilities" model it is difficult to determine which source is correct because of the combination of sources. This may result in data from one source overwriting data from another source. --- -## What to expect from this new API and UI +## What to expect from the new V3 API and UI Moving forward, VulnerableCode will report “advisories” for packages and not “vulnerabilities”. Currently if a package has 4 advisories and those 4 advisories were correlated with each other by their aliases and identifiers, we report a single vulnerability affecting that package. The new approach in V3 will report 4 individual advisories. -The new “advisories” model introduces an Advisory ID (AVID) for each advisory in VulnerableCode. An AVID will have different components like the source and the natural unique identifier used at that source. So for example if we are importing an advisory from “nodejs_security_wg” and it’s identified by its ID “123”, the AVID will be “nodejs_security_wg/123”. +The new “advisories” model introduces an Advisory ID (AVID) for each advisory in VulnerableCode. An AVID will have different components like the source and the natural unique identifier used at that source. For example if we are importing an advisory from “nodejs_security_wg” and it’s identified by its ID “123”, the AVID will be “nodejs_security_wg/123”. --- @@ -40,7 +40,7 @@ We are planning to complete the following tasks by the end of January 2026: ## Current Status -https://public2.vulnerablecode.io/v2 uses the new advisory based UI and +https://public2.vulnerablecode.io/v2 uses the new advisory based UI https://public2.vulnerablecode.io/api/v3/ uses new API, but it is still under development and not ready for production use. ---