diff --git a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/vulnerability.proto b/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/vulnerability.proto
index af86fbe098f..b8ca5175ce0 100644
--- a/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/vulnerability.proto
+++ b/packages/google-cloud-asset/protos/google/cloud/osconfig/v1/vulnerability.proto
@@ -75,6 +75,32 @@ message VulnerabilityReport {
       repeated Reference references = 6;
     }
 
+    // OS inventory item that is affected by a vulnerability or fixed as a
+    // result of a vulnerability.
+    message Item {
+      // Corresponds to the `INSTALLED_PACKAGE` inventory item on the VM.
+      // This field displays the inventory items affected by this vulnerability.
+      // If the vulnerability report was not updated after the VM inventory
+      // update, these values might not display in VM inventory. For some
+      // operating systems, this field might be empty.
+      string installed_inventory_item_id = 1;
+
+      // Corresponds to the `AVAILABLE_PACKAGE` inventory item on the VM.
+      // If the vulnerability report was not updated after the VM inventory
+      // update, these values might not display in VM inventory. If there is no
+      // available fix, the field is empty. The `inventory_item` value specifies
+      // the latest `SoftwarePackage` available to the VM that fixes the
+      // vulnerability.
+      string available_inventory_item_id = 2;
+
+      // The recommended [CPE URI](https://cpe.mitre.org/specification/) update
+      // that contains a fix for this vulnerability.
+      string fixed_cpe_uri = 3;
+
+      // The upstream OS patch, packages or KB that fixes the vulnerability.
+      string upstream_fix = 4;
+    }
+
     // Contains metadata as per the upstream feed of the operating system and
     // NVD.
     Details details = 1;
@@ -84,7 +110,7 @@ message VulnerabilityReport {
     // If the vulnerability report was not updated after the VM inventory
     // update, these values might not display in VM inventory. For some distros,
     // this field may be empty.
-    repeated string installed_inventory_item_ids = 2;
+    repeated string installed_inventory_item_ids = 2 [deprecated = true];
 
     // Corresponds to the `AVAILABLE_PACKAGE` inventory item on the VM.
     // If the vulnerability report was not updated after the VM inventory
@@ -92,13 +118,16 @@ message VulnerabilityReport {
     // available fix, the field is empty. The `inventory_item` value specifies
     // the latest `SoftwarePackage` available to the VM that fixes the
     // vulnerability.
-    repeated string available_inventory_item_ids = 3;
+    repeated string available_inventory_item_ids = 3 [deprecated = true];
 
     // The timestamp for when the vulnerability was first detected.
     google.protobuf.Timestamp create_time = 4;
 
     // The timestamp for when the vulnerability was last modified.
     google.protobuf.Timestamp update_time = 5;
+
+    // List of items affected by the vulnerability.
+    repeated Item items = 6;
   }
 
   // Output only. The `vulnerabilityReport` API resource name.