provide vulnerability attestation based on cosign vuln spec · Issue #1646 · aquasecurity/trivy

In cosign, we (w/@Dentrax @dlorenc) worked on generating a spec for vulnerabilities1 and ended up having something like the following 👇 https://github.com/sigstore/cosign/blob/main/specs/COSIGN_VUL...