diff --git a/docs/_posts/2024-xx-xx-v4.12.0.md b/docs/_posts/2024-xx-xx-v4.12.0.md
index 398f03b8bd..38399118bb 100644
--- a/docs/_posts/2024-xx-xx-v4.12.0.md
+++ b/docs/_posts/2024-xx-xx-v4.12.0.md
@@ -33,6 +33,7 @@ type: major
 * Disable redundant shutdown hook of the embedded H2 database - [apiserver/#4106]
 * Support inclusion and exclusion of projects from BOM validation with tags - [apiserver/#4109]
 * Update Dependency-Track's own BOM to CycloneDX v1.5 - [apiserver/#4110]
+* Migrate Trivy integration to use Protobuf instead of JSON - [apiserver/#4116]
 * Support for serving the frontend from a custom path - [frontend/#801]
 * Add dynamic policy violation badges - [frontend/#810]
 * Add quick search for projects also using a component - [frontend/#848]
@@ -142,6 +143,7 @@ Special thanks to everyone who contributed code to implement enhancements and fi
 [apiserver/#4108]: https://github.com/DependencyTrack/dependency-track/pull/4108
 [apiserver/#4109]: https://github.com/DependencyTrack/dependency-track/pull/4109
 [apiserver/#4110]: https://github.com/DependencyTrack/dependency-track/pull/4110
+[apiserver/#4116]: https://github.com/DependencyTrack/dependency-track/pull/4116
 
 [frontend/#801]: https://github.com/DependencyTrack/frontend/pull/801
 [frontend/#810]: https://github.com/DependencyTrack/frontend/pull/810
diff --git a/pom.xml b/pom.xml
index 5877d1d18a..73251c93aa 100644
--- a/pom.xml
+++ b/pom.xml
@@ -118,6 +118,7 @@
         <lib.open-vulnerability-clients.version>6.2.0</lib.open-vulnerability-clients.version>
         <lib.packageurl.version>1.5.0</lib.packageurl.version>
         <lib.pebble.version>3.2.2</lib.pebble.version>
+        <lib.protobuf-java.version>4.28.0</lib.protobuf-java.version>
         <lib.resilience4j.version>2.2.0</lib.resilience4j.version>
         <lib.swagger-parser.version>2.1.22</lib.swagger-parser.version>
         <lib.system-rules.version>1.19.0</lib.system-rules.version>
@@ -139,8 +140,11 @@
         <plugin.cyclonedx.outputFormat>json</plugin.cyclonedx.outputFormat>
         <plugin.retirejs.breakOnFailure>false</plugin.retirejs.breakOnFailure>
         <plugin.jetty.version>12.0.12</plugin.jetty.version>
+        <plugin.protoc-jar.version>3.11.4</plugin.protoc-jar.version>
         <!-- SonarCloud properties -->
         <sonar.exclusions>src/main/webapp/**</sonar.exclusions>
+        <!-- Tool Versions -->
+        <tool.protoc.version>com.google.protobuf:protoc:${lib.protobuf-java.version}</tool.protoc.version>
         <!-- CycloneDX CLI -->
         <cyclonedx-cli.path>cyclonedx</cyclonedx-cli.path>
         <services.bom.merge.skip>true</services.bom.merge.skip>
@@ -203,6 +207,7 @@
             <artifactId>cyclonedx-core-java</artifactId>
             <version>${lib.cyclonedx-java.version}</version>
         </dependency>
+
         <!-- org.json
         This was previously transitively included with Unirest. However, Unirest v3.x removed reliance on org.json
         in favor of their own API compatible replacement. Therefore, it was necessary to directly include org.json.
@@ -263,6 +268,17 @@
             <version>${lib.pebble.version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>com.google.protobuf</groupId>
+            <artifactId>protobuf-java</artifactId>
+            <version>${lib.protobuf-java.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>com.google.protobuf</groupId>
+            <artifactId>protobuf-java-util</artifactId>
+            <version>${lib.protobuf-java.version}</version>
+        </dependency>
+
         <dependency>
             <groupId>io.swagger.core.v3</groupId>
             <artifactId>swagger-jaxrs2-jakarta</artifactId>
@@ -561,6 +577,30 @@
                     </dependency>
                 </dependencies>
             </plugin>
+            <plugin>
+                <groupId>com.github.os72</groupId>
+                <artifactId>protoc-jar-maven-plugin</artifactId>
+                <version>${plugin.protoc-jar.version}</version>
+                <executions>
+                    <execution>
+                        <id>protobuf</id>
+                        <phase>generate-sources</phase>
+                        <goals>
+                            <goal>run</goal>
+                        </goals>
+                        <configuration>
+                            <includeMavenTypes>direct</includeMavenTypes>
+                            <inputDirectories>
+                                <inputDirectory>src/main/proto</inputDirectory>
+                            </inputDirectories>
+                            <includeDirectories>
+                                <includeDirectory>src/main/proto</includeDirectory>
+                            </includeDirectories>
+                            <protocArtifact>${tool.protoc.version}</protocArtifact>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
@@ -586,6 +626,7 @@
                 <configuration>
                     <excludes>
                         <exclude>org/dependencytrack/upgrade/**/*</exclude>
+                        <exclude>trivy/proto/**/*</exclude>
                     </excludes>
                 </configuration>
             </plugin>
diff --git a/src/main/java/org/dependencytrack/parser/trivy/TrivyParser.java b/src/main/java/org/dependencytrack/parser/trivy/TrivyParser.java
index fb30a971ae..6bad9271b3 100644
--- a/src/main/java/org/dependencytrack/parser/trivy/TrivyParser.java
+++ b/src/main/java/org/dependencytrack/parser/trivy/TrivyParser.java
@@ -18,89 +18,64 @@
  */
 package org.dependencytrack.parser.trivy;
 
-import alpine.common.logging.Logger;
+import com.google.protobuf.util.Timestamps;
 import org.dependencytrack.model.Cwe;
 import org.dependencytrack.model.Severity;
 import org.dependencytrack.model.Vulnerability;
 import org.dependencytrack.parser.common.resolver.CweResolver;
-import org.dependencytrack.parser.trivy.model.CVSS;
+import trivy.proto.common.CVSS;
 
 import java.math.BigDecimal;
-import java.text.ParseException;
-import java.text.SimpleDateFormat;
 import java.util.Date;
-import java.util.Locale;
+import java.util.List;
 
 import static org.apache.commons.lang3.StringUtils.trimToNull;
 
 public class TrivyParser {
 
-    private static final Logger LOGGER = Logger.getLogger(TrivyParser.class);
-
-    public Vulnerability parse(org.dependencytrack.parser.trivy.model.Vulnerability data) {
+    public Vulnerability parse(trivy.proto.common.Vulnerability data) {
         var vulnerability = new Vulnerability();
-        vulnerability.setSource(Vulnerability.Source.resolve(data.getVulnerabilityID()));
+        vulnerability.setSource(Vulnerability.Source.resolve(data.getVulnerabilityId()));
         vulnerability.setPatchedVersions(data.getFixedVersion());
 
         // get the id of the data record (vulnerability)
-        vulnerability.setVulnId(data.getVulnerabilityID());
+        vulnerability.setVulnId(data.getVulnerabilityId());
         vulnerability.setTitle(data.getTitle());
         vulnerability.setDescription(data.getDescription());
         vulnerability.setSeverity(parseSeverity(data.getSeverity()));
 
-        try {
-            vulnerability.setPublished(parseDate(data.getPublishedDate()));
+        if (data.hasPublishedDate()) {
+            vulnerability.setPublished(new Date(Timestamps.toMillis(data.getPublishedDate())));
             vulnerability.setCreated(vulnerability.getPublished());
-        } catch (ParseException ex) {
-            LOGGER.warn("Unable to parse published date %s".formatted(data.getPublishedDate()), ex);
         }
 
-        try {
-            vulnerability.setUpdated(parseDate(data.getLastModifiedDate()));
-        } catch (ParseException ex) {
-            LOGGER.warn("Unable to parse last modified date %s".formatted(data.getLastModifiedDate()), ex);
+        if (data.hasLastModifiedDate()) {
+            vulnerability.setUpdated(new Date(Timestamps.toMillis(data.getLastModifiedDate())));
         }
 
-        vulnerability.setReferences(addReferences(data.getReferences()));
+        vulnerability.setReferences(addReferences(data.getReferencesList()));
 
         // CWE
-        for (String id : data.getCweIDS()) {
+        for (String id : data.getCweIdsList()) {
             final Cwe cwe = CweResolver.getInstance().lookup(id);
             if (cwe != null) {
                 vulnerability.addCwe(cwe);
             }
         }
 
-        vulnerability = setCvssScore(data.getCvss().get(data.getSeveritySource()), vulnerability);
+        vulnerability = setCvssScore(data.getCvssMap().get(data.getSeveritySource()), vulnerability);
 
         return vulnerability;
     }
 
-    public Date parseDate(String input) throws ParseException {
-        if (input != null) {
-            String format = input.length() == 20 ? "yyyy-MM-dd'T'HH:mm:ss'Z'" : "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'";
-            SimpleDateFormat formatter = new SimpleDateFormat(format, Locale.ENGLISH);
-            return formatter.parse(input);
-        }
-        return null;
-    }
-
-    public Severity parseSeverity(String severity) {
-
-        if (severity != null) {
-            if (severity.equalsIgnoreCase("CRITICAL")) {
-                return Severity.CRITICAL;
-            } else if (severity.equalsIgnoreCase("HIGH")) {
-                return Severity.HIGH;
-            } else if (severity.equalsIgnoreCase("MEDIUM")) {
-                return Severity.MEDIUM;
-            } else if (severity.equalsIgnoreCase("LOW")) {
-                return Severity.LOW;
-            } else {
-                return Severity.UNASSIGNED;
-            }
-        }
-        return Severity.UNASSIGNED;
+    public Severity parseSeverity(trivy.proto.common.Severity severity) {
+        return switch (severity) {
+            case CRITICAL -> Severity.CRITICAL;
+            case HIGH -> Severity.HIGH;
+            case MEDIUM -> Severity.MEDIUM;
+            case LOW -> Severity.LOW;
+            default -> Severity.UNASSIGNED;
+        };
     }
 
     public Vulnerability setCvssScore(CVSS cvss, Vulnerability vulnerability) {
@@ -118,7 +93,7 @@ public Vulnerability setCvssScore(CVSS cvss, Vulnerability vulnerability) {
         return vulnerability;
     }
 
-    public String addReferences(String[] references) {
+    public String addReferences(List<String> references) {
         final StringBuilder sb = new StringBuilder();
         for (String reference : references) {
             if (reference != null) {
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/Application.java b/src/main/java/org/dependencytrack/parser/trivy/model/Application.java
deleted file mode 100644
index d56f34abe4..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/Application.java
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-import java.util.ArrayList;
-import java.util.List;
-
-public class Application {
-
-    private String type;
-    private List<Package> packages;
-
-    /**
-     * NB: GSON doesn't support serialization of getters, it can only deal with fields.
-     * Need to have libraries as redundant field to packages, with Jackson we could just
-     * use a computed getter with {@link com.fasterxml.jackson.annotation.JsonGetter}.
-     * Migrate this to Jackson eventually.
-     *
-     * @see <a href="https://github.com/DependencyTrack/dependency-track/issues/3737">GitHub issue</a>
-     * @deprecated Kept for compatibility with Trivy <= 0.51.1
-     */
-    @Deprecated(forRemoval = true)
-    private List<Package> libraries;
-
-    public Application(final String type) {
-        this.type = type;
-        this.packages = new ArrayList<>();
-        this.libraries = new ArrayList<>();
-    }
-
-    public String getType() {
-        return type;
-    }
-
-    public void setType(String value) {
-        this.type = value;
-    }
-
-    public List<Package> getPackages() {
-        return packages;
-    }
-
-    public void setPackages(List<Package> value) {
-        this.packages = value;
-        this.libraries = value;
-    }
-
-    public void addPackage(Package value) {
-        this.packages.add(value);
-        this.libraries.add(value);
-    }
-
-}
\ No newline at end of file
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/BlobInfo.java b/src/main/java/org/dependencytrack/parser/trivy/model/BlobInfo.java
deleted file mode 100644
index bf04a53193..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/BlobInfo.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-import com.google.gson.annotations.SerializedName;
-
-public class BlobInfo {
-    @SerializedName("schema_version")
-    private long schemaVersion;
-    private OS os;
-    private Application[] applications;
-    @SerializedName("package_infos")
-    private PackageInfo[] packageInfos;
-
-    public BlobInfo() {
-        this.schemaVersion = 2;
-        this.os = new OS();
-    }
-
-    public long getSchemaVersion() { return schemaVersion; }
-    public void setSchemaVersion(long value) { this.schemaVersion = value; }
-
-    public OS getOS() { return os; }
-    public void setOS(OS value) { this.os = value; }
-
-    public Application[] getApplications() { return applications; }
-    public void setApplications(Application[] value) { this.applications = value; }
-
-    public PackageInfo[] getPackageInfos() { return packageInfos; }
-    public void setPackageInfos(PackageInfo[] value) { this.packageInfos = value; }
-}
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/CVSS.java b/src/main/java/org/dependencytrack/parser/trivy/model/CVSS.java
deleted file mode 100644
index 4e4b99cffe..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/CVSS.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-import com.google.gson.annotations.SerializedName;
-
-public class CVSS {
-    @SerializedName("v2_vector")
-    private String v2Vector;
-    @SerializedName("v3_vector")
-    private String v3Vector;
-    @SerializedName("v2_score")
-    private double v2Score;
-    @SerializedName("v3_score")
-    private double v3Score;
-
-    public String getV2Vector() { return v2Vector; }
-    public void setV2Vector(String value) { this.v2Vector = value; }
-
-    public String getV3Vector() { return v3Vector; }
-    public void setV3Vector(String value) { this.v3Vector = value; }
-
-    public double getV2Score() { return v2Score; }
-    public void setV2Score(double value) { this.v2Score = value; }
-
-    public double getV3Score() { return v3Score; }
-    public void setV3Score(double value) { this.v3Score = value; }
-}
\ No newline at end of file
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/DataSource.java b/src/main/java/org/dependencytrack/parser/trivy/model/DataSource.java
deleted file mode 100644
index 891953331a..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/DataSource.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-public class DataSource {
-    private String id;
-    private String name;
-    private String url;
-
-    public String getID() { return id; }
-    public void setID(String value) { this.id = value; }
-
-    public String getName() { return name; }
-    public void setName(String value) { this.name = value; }
-
-    public String getURL() { return url; }
-    public void setURL(String value) { this.url = value; }
-}
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/DeleteRequest.java b/src/main/java/org/dependencytrack/parser/trivy/model/DeleteRequest.java
deleted file mode 100644
index 9a6ea13911..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/DeleteRequest.java
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-import com.google.gson.annotations.SerializedName;
-
-public class DeleteRequest {
-
-    @SerializedName("blob_ids")
-    private String[] blobIDS;
-
-    public String[] getBlobIDS() { return blobIDS; }
-    public void setBlobIDS(String[] value) { this.blobIDS = value; }
-
-}
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/Layer.java b/src/main/java/org/dependencytrack/parser/trivy/model/Layer.java
deleted file mode 100644
index a5d4a4af8f..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/Layer.java
+++ /dev/null
@@ -1,38 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-import com.google.gson.annotations.SerializedName;
-
-public class Layer {
-    private String digest;
-    @SerializedName("diff_id")
-    private String diffID;
-    @SerializedName("created_by")
-    private String createdBy;
-
-    public String getDigest() { return digest; }
-    public void setDigest(String value) { this.digest = value; }
-
-    public String getDiffID() { return diffID; }
-    public void setDiffID(String value) { this.diffID = value; }
-
-    public String getCreatedBy() { return createdBy; }
-    public void setCreatedBy(String value) { this.createdBy = value; }
-}
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/OS.java b/src/main/java/org/dependencytrack/parser/trivy/model/OS.java
deleted file mode 100644
index 7a1f01c581..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/OS.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-public class OS {
-    private String family;
-    private String name;
-    private boolean eosl;
-    private boolean extended;
-
-    public OS(){}
-    public OS(String family, String name) {
-        this.family = family;
-        this.name = name;
-    }
-
-    public String getFamily() { return family; }
-    public void setFamily(String value) { this.family = value; }
-
-    public String getName() { return name; }
-    public void setName(String value) { this.name = value; }
-
-    public boolean getEosl() { return eosl; }
-    public void setEosl(boolean value) { this.eosl = value; }
-
-    public boolean getExtended() { return extended; }
-    public void setExtended(boolean value) { this.extended = value; }
-}
\ No newline at end of file
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/Options.java b/src/main/java/org/dependencytrack/parser/trivy/model/Options.java
deleted file mode 100644
index 888f162187..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/Options.java
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-import com.google.gson.annotations.SerializedName;
-
-public class Options {
-
-    /**
-     * NB: GSON doesn't support serialization of getters, it can only deal with fields.
-     * Need to have libraries as redundant field to packages, with Jackson we could just
-     * use a computed getter with {@link com.fasterxml.jackson.annotation.JsonGetter}.
-     * Migrate this to Jackson eventually.
-     *
-     * @see <a href="https://github.com/DependencyTrack/dependency-track/issues/3737">GitHub issue</a>
-     * @deprecated Kept for compatibility with Trivy < 0.54.0
-     */
-    @Deprecated(forRemoval = true)
-    @SerializedName("vuln_type")
-    private String[] vulnType;
-
-    @SerializedName("pkg_types")
-    private String[] pkgTypes;
-
-    private String[] scanners;
-
-    public void setPkgTypes(String[] value) {
-        this.pkgTypes = value;
-        this.vulnType = value;
-    }
-
-    public void setScanners(String[] value) {
-        this.scanners = value;
-    }
-
-}
\ No newline at end of file
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/Package.java b/src/main/java/org/dependencytrack/parser/trivy/model/Package.java
deleted file mode 100644
index 3b3961ea05..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/Package.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-import com.google.gson.annotations.SerializedName;
-
-public class Package {
-    private String name;
-    private String version;
-    private String arch;
-    private Integer epoch;
-
-    @SerializedName("src_name")
-    private String srcName;
-    @SerializedName("src_version")
-    private String srcVersion;
-    @SerializedName("src_epoch")
-    private Integer srcEpoch;
-    @SerializedName("src_release")
-    private String srcRelease;
-    private String[] licenses;
-    private OS layer;
-
-    public Package(String name, String version, String arch, Integer epoch, String srcName, String srcVersion, String srcRelease) {
-
-        this.name = name;
-        this.version = version;
-        this.arch = arch;
-        this.epoch = epoch;
-
-        this.srcName = (srcName == null) ? name : srcName;
-        this.srcVersion = (srcVersion == null) ? version : srcVersion;
-        this.srcEpoch = epoch;
-        this.srcRelease = srcRelease;
-
-        this.licenses = new String[] {};
-        this.layer = new OS();
-    }
-
-
-}
\ No newline at end of file
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/PackageInfo.java b/src/main/java/org/dependencytrack/parser/trivy/model/PackageInfo.java
deleted file mode 100644
index 66061ad5e9..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/PackageInfo.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-import java.util.ArrayList;
-
-public class PackageInfo {
-    private ArrayList<Package> packages;
-
-    public PackageInfo() {
-        this.packages = new ArrayList<Package>();
-    }
-
-    public ArrayList<Package> getPackages() { return packages; }
-    public void setPackages(ArrayList<Package> value) { this.packages = value; }
-    public void addPackage(Package value) { this.packages.add(value); }
-}
-
-
-
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/PutRequest.java b/src/main/java/org/dependencytrack/parser/trivy/model/PutRequest.java
deleted file mode 100644
index b5aeff03ab..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/PutRequest.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-import com.google.gson.annotations.SerializedName;
-
-public class PutRequest {
-    @SerializedName("diff_id")
-    private String diffID;
-    @SerializedName("blob_info")
-    private BlobInfo blobInfo;
-
-    public String getDiffID() { return diffID; }
-    public void setDiffID(String value) { this.diffID = value; }
-
-    public BlobInfo getBlobInfo() { return blobInfo; }
-    public void setBlobInfo(BlobInfo value) { this.blobInfo = value; }
-}
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/Result.java b/src/main/java/org/dependencytrack/parser/trivy/model/Result.java
deleted file mode 100644
index deceebe318..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/Result.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-import com.google.gson.annotations.SerializedName;
-
-public class Result {
-    private String target;
-    private Vulnerability[] vulnerabilities;
-    private Object[] misconfigurations;
-    private String resultClass;
-    private String type;
-    private Object[] packages;
-    @SerializedName("custom_resources")
-    private Object[] customResources;
-    private Object[] secrets;
-    private Object[] licenses;
-
-    public String getTarget() { return target; }
-    public void setTarget(String value) { this.target = value; }
-
-    public Vulnerability[] getVulnerabilities() { return vulnerabilities; }
-    public void setVulnerabilities(Vulnerability[] value) { this.vulnerabilities = value; }
-
-    public Object[] getMisconfigurations() { return misconfigurations; }
-    public void setMisconfigurations(Object[] value) { this.misconfigurations = value; }
-
-    public String getResultClass() { return resultClass; }
-    public void setResultClass(String value) { this.resultClass = value; }
-
-    public String getType() { return type; }
-    public void setType(String value) { this.type = value; }
-
-    public Object[] getPackages() { return packages; }
-    public void setPackages(Object[] value) { this.packages = value; }
-
-    public Object[] getCustomResources() { return customResources; }
-    public void setCustomResources(Object[] value) { this.customResources = value; }
-
-    public Object[] getSecrets() { return secrets; }
-    public void setSecrets(Object[] value) { this.secrets = value; }
-
-    public Object[] getLicenses() { return licenses; }
-    public void setLicenses(Object[] value) { this.licenses = value; }
-}
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/ScanRequest.java b/src/main/java/org/dependencytrack/parser/trivy/model/ScanRequest.java
deleted file mode 100644
index fcd354f9b9..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/ScanRequest.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-import com.google.gson.annotations.SerializedName;
-
-public class ScanRequest {
-    private String target;
-    @SerializedName("artifact_id")
-    private String artifactID;
-    @SerializedName("blob_ids")
-    private String[] blobIDS;
-    private Options options;
-
-    public String getTarget() { return target; }
-    public void setTarget(String value) { this.target = value; }
-
-    public String getArtifactID() { return artifactID; }
-    public void setArtifactID(String value) { this.artifactID = value; }
-
-    public String[] getBlobIDS() { return blobIDS; }
-    public void setBlobIDS(String[] value) { this.blobIDS = value; }
-
-    public Options getOptions() { return options; }
-    public void setOptions(Options value) { this.options = value; }
-}
-
-
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/TrivyResponse.java b/src/main/java/org/dependencytrack/parser/trivy/model/TrivyResponse.java
deleted file mode 100644
index cf59f392cc..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/TrivyResponse.java
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-public class TrivyResponse {
-    private OS os;
-    private Result[] results;
-
-    public OS getOS() { return os; }
-    public void setOS(OS value) { this.os = value; }
-
-    public Result[] getResults() { return results; }
-    public void setResults(Result[] value) { this.results = value; }
-}
diff --git a/src/main/java/org/dependencytrack/parser/trivy/model/Vulnerability.java b/src/main/java/org/dependencytrack/parser/trivy/model/Vulnerability.java
deleted file mode 100644
index dfaf420c05..0000000000
--- a/src/main/java/org/dependencytrack/parser/trivy/model/Vulnerability.java
+++ /dev/null
@@ -1,134 +0,0 @@
-/*
- * This file is part of Dependency-Track.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * SPDX-License-Identifier: Apache-2.0
- * Copyright (c) OWASP Foundation. All Rights Reserved.
- */
-package org.dependencytrack.parser.trivy.model;
-
-import java.util.Map;
-
-import com.google.gson.annotations.SerializedName;
-
-public class Vulnerability {
-    @SerializedName("vulnerability_id")
-    private String vulnerabilityID;
-    @SerializedName("pkg_name")
-    private String pkgName;
-    @SerializedName("installed_version")
-    private String installedVersion;
-    @SerializedName("fixed_version")
-    private String fixedVersion;
-    private String title;
-    private String description;
-    private String severity;
-    private String[] references;
-    private Layer layer;
-    @SerializedName("severity_source")
-    private String severitySource;
-    private Map<String, CVSS> cvss;
-    @SerializedName("cwe_ids")
-    private String[] cweIDS;
-    @SerializedName("primary_url")
-    private String primaryURL;
-    @SerializedName("published_date")
-    private String publishedDate;
-    @SerializedName("last_modified_date")
-    private String lastModifiedDate;
-    @SerializedName("custom_advisory_data")
-    private Object customAdvisoryData;
-    @SerializedName("custom_vuln_data")
-    private Object customVulnData;
-    @SerializedName("vendor_ids")
-    private Object[] vendorIDS;
-    @SerializedName("data_source")
-    private DataSource dataSource;
-    @SerializedName("vendor_severity")
-    private Map<String, String> vendorSeverity;
-    @SerializedName("pkg_path")
-    private String pkgPath;
-    @SerializedName("pkg_id")
-    private String pkgID;
-    private long status;
-
-    public String getVulnerabilityID() { return vulnerabilityID; }
-    public void setVulnerabilityID(String value) { this.vulnerabilityID = value; }
-
-    public String getPkgName() { return pkgName; }
-    public void setPkgName(String value) { this.pkgName = value; }
-
-    public String getInstalledVersion() { return installedVersion; }
-    public void setInstalledVersion(String value) { this.installedVersion = value; }
-
-    public String getFixedVersion() { return fixedVersion; }
-    public void setFixedVersion(String value) { this.fixedVersion = value; }
-
-    public String getTitle() { return title; }
-    public void setTitle(String value) { this.title = value; }
-
-    public String getDescription() { return description; }
-    public void setDescription(String value) { this.description = value; }
-
-    public String getSeverity() { return severity; }
-    public void setSeverity(String value) { this.severity = value; }
-
-    public String[] getReferences() { return references; }
-    public void setReferences(String[] value) { this.references = value; }
-
-    public Layer getLayer() { return layer; }
-    public void setLayer(Layer value) { this.layer = value; }
-
-    public String getSeveritySource() { return severitySource; }
-    public void setSeveritySource(String value) { this.severitySource = value; }
-
-    public Map<String, CVSS> getCvss() { return cvss; }
-    public void setCvss(Map<String, CVSS> value) { this.cvss = value; }
-
-    public String[] getCweIDS() { return cweIDS; }
-    public void setCweIDS(String[] value) { this.cweIDS = value; }
-
-    public String getPrimaryURL() { return primaryURL; }
-    public void setPrimaryURL(String value) { this.primaryURL = value; }
-
-    public String getPublishedDate() { return publishedDate; }
-    public void setPublishedDate(String value) { this.publishedDate = value; }
-
-    public String getLastModifiedDate() { return lastModifiedDate; }
-    public void setLastModifiedDate(String value) { this.lastModifiedDate = value; }
-
-    public Object getCustomAdvisoryData() { return customAdvisoryData; }
-    public void setCustomAdvisoryData(Object value) { this.customAdvisoryData = value; }
-
-    public Object getCustomVulnData() { return customVulnData; }
-    public void setCustomVulnData(Object value) { this.customVulnData = value; }
-
-    public Object[] getVendorIDS() { return vendorIDS; }
-    public void setVendorIDS(Object[] value) { this.vendorIDS = value; }
-
-    public DataSource getDataSource() { return dataSource; }
-    public void setDataSource(DataSource value) { this.dataSource = value; }
-
-    public Map<String, String> getVendorSeverity() { return vendorSeverity; }
-    public void setVendorSeverity(Map<String, String> value) { this.vendorSeverity = value; }
-
-    public String getPkgPath() { return pkgPath; }
-    public void setPkgPath(String value) { this.pkgPath = value; }
-
-    public String getPkgID() { return pkgID; }
-    public void setPkgID(String value) { this.pkgID = value; }
-
-    public long getStatus() { return status; }
-    public void setStatus(long value) { this.status = value; }
-}
\ No newline at end of file
diff --git a/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java b/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java
index 0a07573df0..9ea48954a8 100644
--- a/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java
+++ b/src/main/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTask.java
@@ -26,19 +26,18 @@
 import alpine.event.framework.Subscriber;
 import alpine.model.ConfigProperty;
 import com.github.packageurl.PackageURL;
-import com.google.gson.Gson;
+import com.google.protobuf.Message;
 import io.github.resilience4j.micrometer.tagged.TaggedRetryMetrics;
 import io.github.resilience4j.retry.Retry;
 import io.github.resilience4j.retry.RetryConfig;
 import io.github.resilience4j.retry.RetryRegistry;
 import org.apache.commons.codec.digest.DigestUtils;
+import org.apache.hc.core5.http.HttpStatus;
 import org.apache.http.HttpHeaders;
-import org.apache.http.HttpStatus;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.methods.HttpUriRequest;
-import org.apache.http.entity.StringEntity;
-import org.apache.http.util.EntityUtils;
+import org.apache.http.entity.ByteArrayEntity;
 import org.dependencytrack.common.HttpClientPool;
 import org.dependencytrack.common.ManagedHttpClientFactory;
 import org.dependencytrack.event.IndexEvent;
@@ -50,25 +49,23 @@
 import org.dependencytrack.model.Vulnerability;
 import org.dependencytrack.model.VulnerabilityAnalysisLevel;
 import org.dependencytrack.parser.trivy.TrivyParser;
-import org.dependencytrack.parser.trivy.model.Application;
-import org.dependencytrack.parser.trivy.model.BlobInfo;
-import org.dependencytrack.parser.trivy.model.DeleteRequest;
-import org.dependencytrack.parser.trivy.model.OS;
-import org.dependencytrack.parser.trivy.model.Options;
-import org.dependencytrack.parser.trivy.model.Package;
-import org.dependencytrack.parser.trivy.model.PackageInfo;
 import org.dependencytrack.parser.trivy.model.PurlType;
-import org.dependencytrack.parser.trivy.model.PutRequest;
-import org.dependencytrack.parser.trivy.model.Result;
-import org.dependencytrack.parser.trivy.model.ScanRequest;
-import org.dependencytrack.parser.trivy.model.TrivyResponse;
 import org.dependencytrack.persistence.QueryManager;
 import org.dependencytrack.util.DebugDataEncryption;
 import org.dependencytrack.util.NotificationUtil;
+import trivy.proto.cache.v1.BlobInfo;
+import trivy.proto.cache.v1.DeleteBlobsRequest;
+import trivy.proto.cache.v1.PutBlobRequest;
+import trivy.proto.common.Application;
+import trivy.proto.common.OS;
+import trivy.proto.common.Package;
+import trivy.proto.common.PackageInfo;
+import trivy.proto.scanner.v1.Result;
+import trivy.proto.scanner.v1.ScanOptions;
+import trivy.proto.scanner.v1.ScanResponse;
 
-import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
-import java.util.Arrays;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -78,6 +75,8 @@
 import static org.dependencytrack.common.ConfigKey.TRIVY_RETRY_BACKOFF_MAX_DURATION_MS;
 import static org.dependencytrack.common.ConfigKey.TRIVY_RETRY_BACKOFF_MULTIPLIER;
 import static org.dependencytrack.common.ConfigKey.TRIVY_RETRY_MAX_ATTEMPTS;
+import static org.dependencytrack.model.ConfigPropertyConstants.SCANNER_TRIVY_BASE_URL;
+import static org.dependencytrack.model.ConfigPropertyConstants.SCANNER_TRIVY_ENABLED;
 import static org.dependencytrack.util.RetryUtil.logRetryEventWith;
 import static org.dependencytrack.util.RetryUtil.maybeClosePreviousResult;
 import static org.dependencytrack.util.RetryUtil.withExponentialBackoff;
@@ -118,71 +117,61 @@ public class TrivyAnalysisTask extends BaseComponentAnalyzerTask implements Cach
                 .bindTo(Metrics.getRegistry());
     }
 
-    private final Gson gson = new Gson();
     private String apiBaseUrl;
     private String apiToken;
     private VulnerabilityAnalysisLevel vulnerabilityAnalysisLevel;
 
-    /**
-     * {@inheritDoc}
-     */
     @Override
     public void inform(final Event e) {
-        if (e instanceof final TrivyAnalysisEvent event) {
-            if (!super.isEnabled(ConfigPropertyConstants.SCANNER_TRIVY_ENABLED)) {
+        if (!(e instanceof final TrivyAnalysisEvent event)
+                || !super.isEnabled(SCANNER_TRIVY_ENABLED)) {
+            return;
+        }
+
+        try (final var qm = new QueryManager()) {
+            final ConfigProperty apiTokenProperty = qm.getConfigProperty(
+                    ConfigPropertyConstants.SCANNER_TRIVY_API_TOKEN.getGroupName(),
+                    ConfigPropertyConstants.SCANNER_TRIVY_API_TOKEN.getPropertyName());
+
+            if (apiTokenProperty == null || apiTokenProperty.getPropertyValue() == null) {
+                LOGGER.warn("No API token provided; Skipping");
+                return;
+            }
+            if (getApiBaseUrl().isEmpty()) {
+                LOGGER.warn("No API base URL provided; Skipping");
                 return;
             }
-            try (QueryManager qm = new QueryManager()) {
-                final ConfigProperty apiTokenProperty = qm.getConfigProperty(
-                        ConfigPropertyConstants.SCANNER_TRIVY_API_TOKEN.getGroupName(),
-                        ConfigPropertyConstants.SCANNER_TRIVY_API_TOKEN.getPropertyName()
-                );
-
-                if (apiTokenProperty == null || apiTokenProperty.getPropertyValue() == null) {
-                    LOGGER.warn("No API token provided; Skipping");
-                    return;
-                }
-                if (getApiBaseUrl().isEmpty()) {
-                    LOGGER.warn("No API base URL provided; Skipping");
-                    return;
-                }
 
-                apiBaseUrl = getApiBaseUrl().get();
+            apiBaseUrl = getApiBaseUrl().get();
 
-                try {
-                    apiToken = DebugDataEncryption.decryptAsString(apiTokenProperty.getPropertyValue());
-                } catch (Exception ex) {
-                    LOGGER.error("An error occurred decrypting the Trivy API token; Skipping", ex);
-                    return;
-                }
-            }
-            vulnerabilityAnalysisLevel = event.getVulnerabilityAnalysisLevel();
-            LOGGER.info("Starting Trivy vulnerability analysis task");
-            if (!event.getComponents().isEmpty()) {
-                analyze(event.getComponents());
+            try {
+                apiToken = DebugDataEncryption.decryptAsString(apiTokenProperty.getPropertyValue());
+            } catch (Exception ex) {
+                LOGGER.error("An error occurred decrypting the Trivy API token; Skipping", ex);
+                return;
             }
-            LOGGER.info("Trivy vulnerability analysis complete");
         }
+
+        vulnerabilityAnalysisLevel = event.getVulnerabilityAnalysisLevel();
+        LOGGER.info("Starting Trivy vulnerability analysis task");
+        if (!event.getComponents().isEmpty()) {
+            analyze(event.getComponents());
+        }
+        LOGGER.info("Trivy vulnerability analysis complete");
     }
 
-    /**
-     * {@inheritDoc}
-     */
     @Override
     public AnalyzerIdentity getAnalyzerIdentity() {
         return AnalyzerIdentity.TRIVY_ANALYZER;
     }
 
-    /**
-     * {@inheritDoc}
-     */
     @Override
     public boolean isCapable(Component component) {
         final boolean hasValidPurl = component.getPurl() != null
-                                     && component.getPurl().getScheme() != null
-                                     && component.getPurl().getType() != null
-                                     && component.getPurl().getName() != null
-                                     && component.getPurl().getVersion() != null;
+                && component.getPurl().getScheme() != null
+                && component.getPurl().getType() != null
+                && component.getPurl().getName() != null
+                && component.getPurl().getVersion() != null;
 
         if (!hasValidPurl && component.getPurl() == null) {
             LOGGER.debug("isCapable: purl is null for component %s".formatted(component));
@@ -191,7 +180,7 @@ public boolean isCapable(Component component) {
         }
 
         return (hasValidPurl && !PurlType.Constants.UNKNOWN.equals(PurlType.getApp(component.getPurl().getType())))
-               || component.getClassifier() == Classifier.OPERATING_SYSTEM;
+                || component.getClassifier() == Classifier.OPERATING_SYSTEM;
     }
 
     /**
@@ -199,8 +188,8 @@ public boolean isCapable(Component component) {
      */
     @Override
     public void analyze(final List<Component> components) {
-        final var pkgs = new HashMap<String, PackageInfo>();
-        final var apps = new HashMap<String, Application>();
+        final var pkgs = new HashMap<String, PackageInfo.Builder>();
+        final var apps = new HashMap<String, Application.Builder>();
         final var os = new HashMap<String, OS>();
         final var map = new HashMap<String, Component>();
 
@@ -216,14 +205,18 @@ public void analyze(final List<Component> components) {
 
                 if (!PurlType.UNKNOWN.getAppType().equals(appType)) {
                     if (!PurlType.Constants.PACKAGES.equals(appType)) {
-                        final Application app = apps.computeIfAbsent(appType, Application::new);
+                        final Application.Builder app = apps.computeIfAbsent(appType, Application.newBuilder()::setType);
                         final String key = name + ":" + component.getVersion();
 
                         LOGGER.debug("Add key %s to map".formatted(key));
                         map.put(key, component);
 
                         LOGGER.debug("add library %s".formatted(component.toString()));
-                        app.addPackage(new Package(name, component.getVersion(), null, null, null, null, null));
+                        app.addPackages(Package.newBuilder()
+                                .setName(name)
+                                .setVersion(component.getVersion())
+                                .setSrcName(name)
+                                .setSrcVersion(component.getVersion()));
                     } else {
                         String srcName = null;
                         String srcVersion = null;
@@ -269,7 +262,7 @@ public void analyze(final List<Component> components) {
                             }
                         }
 
-                        final PackageInfo pkg = pkgs.computeIfAbsent(pkgType, ignored -> new PackageInfo());
+                        final PackageInfo.Builder pkg = pkgs.computeIfAbsent(pkgType, ignored -> PackageInfo.newBuilder());
 
                         versionKey += component.getVersion();
                         final String key = name + ":" + versionKey;
@@ -277,46 +270,56 @@ public void analyze(final List<Component> components) {
                         LOGGER.debug("Add key %s to map".formatted(key));
                         map.put(key, component);
                         LOGGER.debug("add package %s".formatted(component.toString()));
-                        pkg.addPackage(new Package(component.getName(), component.getVersion(), arch != null ? arch : "x86_64", epoch, srcName, srcVersion, srcRelease));
+                        final Package.Builder packageBuilder = Package.newBuilder()
+                                .setName(component.getName())
+                                .setVersion(component.getVersion())
+                                .setArch(arch != null ? arch : "x86_64")
+                                .setSrcName(srcName != null ? srcName : component.getName())
+                                .setSrcVersion(srcVersion != null ? srcVersion : component.getVersion());
+                        Optional.ofNullable(srcRelease).ifPresent(packageBuilder::setSrcRelease);
+                        Optional.ofNullable(epoch).ifPresent(packageBuilder::setEpoch);
+                        pkg.addPackages(packageBuilder);
                     }
                 }
 
             } else if (component.getClassifier() == Classifier.OPERATING_SYSTEM) {
                 LOGGER.debug("add operative system %s".formatted(component.toString()));
                 var key = "%s-%s".formatted(component.getName(), component.getVersion());
-                os.put(key, new OS(component.getName(), component.getVersion()));
+                os.put(key, OS.newBuilder().setFamily(component.getName()).setName(component.getVersion()).build());
             }
         }
 
         final var infos = new ArrayList<BlobInfo>();
 
         if (!apps.isEmpty()) {
-            var info = new BlobInfo();
-            info.setApplications(apps.values().toArray(new Application[]{}));
-            infos.add(info);
+            infos.add(BlobInfo.newBuilder()
+                    .setSchemaVersion(2)
+                    .addAllApplications(apps.values().stream()
+                            .map(Application.Builder::build)
+                            .toList())
+                    .build());
         }
 
         pkgs.forEach((key, value) -> {
-            var info = new BlobInfo();
-            info.setPackageInfos(new PackageInfo[]{value});
+            final BlobInfo.Builder builder = BlobInfo.newBuilder()
+                    .setSchemaVersion(2)
+                    .addPackageInfos(value);
+
             LOGGER.debug("looking for os %s".formatted(key));
             if (os.get(key) != null) {
-                info.setOS(os.get(key));
+                builder.setOs(os.get(key));
             }
-            infos.add(info);
+            infos.add(builder.build());
         });
 
         try {
-            final var results = analyzeBlob(infos.toArray(new BlobInfo[]{}));
+            final var results = analyzeBlob(infos);
             handleResults(map, results);
         } catch (Throwable ex) {
             handleRequestException(LOGGER, ex);
         }
     }
 
-    /**
-     * {@inheritDoc}
-     */
     @Override
     public boolean shouldAnalyze(final PackageURL packageUrl) {
         return getApiBaseUrl()
@@ -324,9 +327,6 @@ public boolean shouldAnalyze(final PackageURL packageUrl) {
                 .orElse(false);
     }
 
-    /**
-     * {@inheritDoc}
-     */
     @Override
     public void applyAnalysisFromCache(final Component component) {
         getApiBaseUrl().ifPresent(baseUrl ->
@@ -336,8 +336,8 @@ public void applyAnalysisFromCache(final Component component) {
 
     private void handleResults(final Map<String, Component> components, final ArrayList<Result> input) {
         for (final Result result : input) {
-            for (int idx = 0; idx < result.getVulnerabilities().length; idx++) {
-                var vulnerability = result.getVulnerabilities()[idx];
+            for (int idx = 0; idx < result.getVulnerabilitiesCount(); idx++) {
+                var vulnerability = result.getVulnerabilities(idx);
                 var key = vulnerability.getPkgName() + ":" + vulnerability.getInstalledVersion();
                 LOGGER.debug("Searching key %s in map".formatted(key));
                 if (!super.isEnabled(ConfigPropertyConstants.SCANNER_TRIVY_IGNORE_UNFIXED) || vulnerability.getStatus() == 3) {
@@ -347,24 +347,23 @@ private void handleResults(final Map<String, Component> components, final ArrayL
         }
     }
 
-    private ArrayList<Result> analyzeBlob(final BlobInfo[] blobs) {
+    private ArrayList<Result> analyzeBlob(final Collection<BlobInfo> blobs) {
         final var output = new ArrayList<Result>();
 
         for (final BlobInfo info : blobs) {
+            final PutBlobRequest putBlobRequest = PutBlobRequest.newBuilder()
+                    .setBlobInfo(info)
+                    .setDiffId("sha256:" + DigestUtils.sha256Hex(java.util.UUID.randomUUID().toString()))
+                    .build();
 
-            var blob = new PutRequest();
-            blob.setBlobInfo(info);
-
-            String hash = DigestUtils.sha256Hex(java.util.UUID.randomUUID().toString());
-            blob.setDiffID("sha256:" + hash);
-
-            if (putBlob(blob)) {
-                var response = scanBlob(blob);
+            if (putBlob(putBlobRequest)) {
+                final ScanResponse response = scanBlob(putBlobRequest);
                 if (response != null) {
                     LOGGER.debug("received response from trivy");
-                    output.addAll(Arrays.asList(response.getResults()));
+                    output.addAll(response.getResultsList());
                 }
-                deleteBlob(blob);
+
+                deleteBlob(putBlobRequest);
             }
         }
 
@@ -372,26 +371,25 @@ private ArrayList<Result> analyzeBlob(final BlobInfo[] blobs) {
     }
 
 
-    private HttpUriRequest buildRequest(final String url, Object input) {
+    private <T extends Message> HttpUriRequest buildRequest(final String url, final T input) {
         final var request = new HttpPost(url);
-
-        final var body = new StringEntity(gson.toJson(input), StandardCharsets.UTF_8);
-        request.setEntity(body);
+        request.setHeader(HttpHeaders.ACCEPT, "application/protobuf");
+        request.setHeader(HttpHeaders.CONTENT_TYPE, "application/protobuf");
+        request.setHeader(HttpHeaders.USER_AGENT, ManagedHttpClientFactory.getUserAgent());
+        request.setHeader(TOKEN_HEADER, apiToken);
+        request.setEntity(new ByteArrayEntity(input.toByteArray()));
 
         if (LOGGER.isDebugEnabled()) {
-            LOGGER.debug("Request: " + gson.toJson(input));
+            LOGGER.debug("Request: " + input);
         }
 
-        request.setHeader(HttpHeaders.USER_AGENT, ManagedHttpClientFactory.getUserAgent());
-        request.setHeader(TOKEN_HEADER, apiToken);
-        request.setHeader(HttpHeaders.CONTENT_TYPE, "application/json");
-
         return request;
     }
 
-    private boolean putBlob(PutRequest input) {
-        final String requestUrl = "%s/twirp/trivy.cache.v1.Cache/PutBlob".formatted(apiBaseUrl);
-        final HttpUriRequest request = buildRequest(requestUrl, input);
+    private boolean putBlob(final PutBlobRequest putBlobRequest) {
+        final HttpUriRequest request = buildRequest(
+                "%s/twirp/trivy.cache.v1.Cache/PutBlob".formatted(apiBaseUrl),
+                putBlobRequest);
 
         try (final CloseableHttpResponse response = RETRY.executeCheckedSupplier(() -> HttpClientPool.getClient().execute(request))) {
             final int statusCode = response.getStatusLine().getStatusCode();
@@ -405,33 +403,31 @@ private boolean putBlob(PutRequest input) {
     }
 
 
-    private TrivyResponse scanBlob(PutRequest input) {
-        final String requestUrl = "%s/twirp/trivy.scanner.v1.Scanner/Scan".formatted(apiBaseUrl);
-
-        final var scan = new ScanRequest();
-        scan.setTarget(input.getDiffID());
-        scan.setArtifactID(input.getDiffID());
-        scan.setBlobIDS(new String[]{input.getDiffID()});
-
-        final var opts = new Options();
-        opts.setPkgTypes(new String[]{"os", "library"});
-        opts.setScanners(new String[]{"vuln"});
-
-        scan.setOptions(opts);
+    private ScanResponse scanBlob(final PutBlobRequest putBlobRequest) {
+        final var scanRequest = trivy.proto.scanner.v1.ScanRequest.newBuilder()
+                .setTarget(putBlobRequest.getDiffId())
+                .setArtifactId(putBlobRequest.getDiffId())
+                .addBlobIds(putBlobRequest.getDiffId())
+                .setOptions(ScanOptions.newBuilder()
+                        .addAllPkgTypes(List.of("os", "library"))
+                        .addScanners("vuln"))
+                .build();
 
-        final HttpUriRequest request = buildRequest(requestUrl, scan);
+        final HttpUriRequest request = buildRequest(
+                "%s/twirp/trivy.scanner.v1.Scanner/Scan".formatted(apiBaseUrl),
+                scanRequest);
 
         try (final CloseableHttpResponse response = RETRY.executeCheckedSupplier(() -> HttpClientPool.getClient().execute(request))) {
-            if (response.getStatusLine().getStatusCode() >= HttpStatus.SC_OK && response.getStatusLine().getStatusCode() < HttpStatus.SC_MULTIPLE_CHOICES) {
-                final String responseString = EntityUtils.toString(response.getEntity());
-                final TrivyResponse trivyResponse = gson.fromJson(responseString, TrivyResponse.class);
+            if (response.getStatusLine().getStatusCode() >= HttpStatus.SC_OK
+                    && response.getStatusLine().getStatusCode() < HttpStatus.SC_MULTIPLE_CHOICES) {
+                final var scanResponse = ScanResponse.parseFrom(response.getEntity().getContent());
 
                 if (LOGGER.isDebugEnabled()) {
                     LOGGER.debug("Scan response: " + response.getStatusLine().getStatusCode());
-                    LOGGER.debug("Response from server: " + responseString);
+                    LOGGER.debug("Response from server: " + scanResponse);
                 }
 
-                return trivyResponse;
+                return scanResponse;
             } else {
                 handleUnexpectedHttpResponse(LOGGER, request.getURI().toString(), response.getStatusLine().getStatusCode(), response.getStatusLine().getReasonPhrase());
             }
@@ -442,12 +438,14 @@ private TrivyResponse scanBlob(PutRequest input) {
         return null;
     }
 
-    private void deleteBlob(PutRequest input) {
-        final String requestUrl = "%s/twirp/trivy.cache.v1.Cache/DeleteBlobs".formatted(apiBaseUrl);
-        final var delete = new DeleteRequest();
-        delete.setBlobIDS(new String[]{input.getDiffID()});
+    private void deleteBlob(final PutBlobRequest putBlobRequest) {
+        final var deleteBlobRequest = DeleteBlobsRequest.newBuilder()
+                .addBlobIds(putBlobRequest.getDiffId())
+                .build();
 
-        final HttpUriRequest request = buildRequest(requestUrl, delete);
+        final HttpUriRequest request = buildRequest(
+                "%s/twirp/trivy.cache.v1.Cache/DeleteBlobs".formatted(apiBaseUrl),
+                deleteBlobRequest);
         try (final CloseableHttpResponse response = RETRY.executeCheckedSupplier(() -> HttpClientPool.getClient().execute(request))) {
             LOGGER.debug("DeleteBlob response: " + response.getStatusLine().getStatusCode());
         } catch (Throwable ex) {
@@ -455,7 +453,7 @@ private void deleteBlob(PutRequest input) {
         }
     }
 
-    private void handle(final Component component, final org.dependencytrack.parser.trivy.model.Vulnerability data) {
+    private void handle(final Component component, final trivy.proto.common.Vulnerability data) {
         if (component == null) {
             LOGGER.error("Unable to handle null component");
             return;
@@ -497,9 +495,8 @@ private Optional<String> getApiBaseUrl() {
 
         try (final var qm = new QueryManager()) {
             final ConfigProperty property = qm.getConfigProperty(
-                    ConfigPropertyConstants.SCANNER_TRIVY_BASE_URL.getGroupName(),
-                    ConfigPropertyConstants.SCANNER_TRIVY_BASE_URL.getPropertyName()
-            );
+                    SCANNER_TRIVY_BASE_URL.getGroupName(),
+                    SCANNER_TRIVY_BASE_URL.getPropertyName());
             if (property == null) {
                 return Optional.empty();
             }
diff --git a/src/main/proto/trivy/cache/v1/service.proto b/src/main/proto/trivy/cache/v1/service.proto
new file mode 100644
index 0000000000..1a1bbed1db
--- /dev/null
+++ b/src/main/proto/trivy/cache/v1/service.proto
@@ -0,0 +1,71 @@
+syntax = "proto3";
+
+package trivy.cache.v1;
+option  go_package = "github.com/aquasecurity/trivy/rpc/cache;cache";
+option java_multiple_files = true;
+option java_package = "trivy.proto.cache.v1";
+
+import "google/protobuf/timestamp.proto";
+import "trivy/common/service.proto";
+import "google/protobuf/empty.proto";
+
+service Cache {
+  rpc PutArtifact(PutArtifactRequest) returns (google.protobuf.Empty);
+  rpc PutBlob(PutBlobRequest) returns (google.protobuf.Empty);
+  rpc MissingBlobs(MissingBlobsRequest) returns (MissingBlobsResponse);
+  rpc DeleteBlobs(DeleteBlobsRequest) returns (google.protobuf.Empty);
+}
+
+message ArtifactInfo {
+  int32                     schema_version = 1;
+  string                    architecture   = 2;
+  google.protobuf.Timestamp created        = 3;
+  string                    docker_version = 4;
+  string                    os             = 5;
+  repeated common.Package history_packages = 6;
+}
+
+message PutArtifactRequest {
+  string       artifact_id   = 1;
+  ArtifactInfo artifact_info = 2;
+}
+
+message BlobInfo {
+  int32             schema_version                   = 1;
+  common.OS         os                               = 2;
+  common.Repository repository                       = 11;
+  repeated common.PackageInfo package_infos          = 3;
+  repeated common.Application applications           = 4;
+  repeated common.Misconfiguration misconfigurations = 9;
+  repeated string                  opaque_dirs       = 5;
+  repeated string                  whiteout_files    = 6;
+  string                           digest            = 7;
+  string                           diff_id           = 8;
+  repeated common.CustomResource custom_resources    = 10;
+  repeated common.Secret secrets                     = 12;
+  repeated common.LicenseFile licenses               = 13;
+}
+
+message PutBlobRequest {
+  string   diff_id   = 1;
+  BlobInfo blob_info = 3;
+}
+
+message PutResponse {
+  common.OS os   = 1;
+  bool      eosl = 2;
+}
+
+message MissingBlobsRequest {
+  string          artifact_id = 1;
+  repeated string blob_ids    = 2;
+}
+
+message MissingBlobsResponse {
+  bool            missing_artifact = 1;
+  repeated string missing_blob_ids = 2;
+}
+
+message DeleteBlobsRequest {
+  repeated string blob_ids = 1;
+}
\ No newline at end of file
diff --git a/src/main/proto/trivy/common/service.proto b/src/main/proto/trivy/common/service.proto
new file mode 100644
index 0000000000..bcfdcc33ea
--- /dev/null
+++ b/src/main/proto/trivy/common/service.proto
@@ -0,0 +1,271 @@
+syntax = "proto3";
+
+import "google/protobuf/timestamp.proto";
+
+package trivy.common;
+option  go_package = "github.com/aquasecurity/trivy/rpc/common;common";
+option java_multiple_files = true;
+option java_package = "trivy.proto.common";
+
+import "google/protobuf/struct.proto";
+
+message OS {
+  string family   = 1;
+  string name     = 2;
+  bool   eosl     = 3;
+  bool   extended = 4;
+}
+
+message Repository {
+  string family  = 1;
+  string release = 2;
+}
+
+message PackageInfo {
+  string           file_path = 1;
+  repeated Package packages  = 2;
+}
+
+message Application {
+  string           type      = 1;
+  string           file_path = 2;
+  repeated Package packages  = 3;
+}
+
+message Package {
+  // binary package
+  // e.g. bind-utils
+  string        id         = 13;
+  string        name       = 1;
+  string        version    = 2;
+  string        release    = 3;
+  int32         epoch      = 4;
+  PkgIdentifier identifier = 19;
+  string        arch       = 5;
+  // src package containing some binary packages
+  // e.g. bind
+  string            src_name    = 6;
+  string            src_version = 7;
+  string            src_release = 8;
+  int32             src_epoch   = 9;
+  repeated string   licenses    = 15;
+  repeated Location locations   = 20;
+  Layer             layer       = 11;
+  string            file_path   = 12;
+  repeated string   depends_on  = 14;
+  string            digest      = 16;
+  bool              dev         = 17;
+  bool              indirect    = 18;
+}
+
+message PkgIdentifier {
+  string purl    = 1;
+  string bom_ref = 2;
+  string uid     = 3;
+}
+
+message Location {
+  int32 start_line = 1;
+  int32 end_line   = 2;
+}
+
+message Misconfiguration {
+  string                 file_type  = 1;
+  string                 file_path  = 2;
+  repeated MisconfResult successes  = 3;
+  repeated MisconfResult warnings   = 4;
+  repeated MisconfResult failures   = 5;
+  repeated MisconfResult exceptions = 6;
+}
+
+message MisconfResult {
+  string namespace = 1;
+  string message   = 2;
+  reserved 3 to 6;
+  reserved "type", "id", "title", "severity";
+  PolicyMetadata policy_metadata = 7;
+  CauseMetadata  cause_metadata  = 8;
+}
+
+message PolicyMetadata {
+  string          id                  = 1;
+  string          adv_id              = 2;
+  string          type                = 3;
+  string          title               = 4;
+  string          description         = 5;
+  string          severity            = 6;
+  string          recommended_actions = 7;
+  repeated string references          = 8;
+}
+
+message DetectedMisconfiguration {
+  string type                    = 1;
+  string id                      = 2;
+  string title                   = 3;
+  string description             = 4;
+  string message                 = 5;
+  string namespace               = 6;
+  string          resolution     = 7;
+  Severity        severity       = 8;
+  string          primary_url    = 9;
+  repeated string references     = 10;
+  string          status         = 11;
+  Layer           layer          = 12;
+  CauseMetadata   cause_metadata = 13;
+  string          avd_id         = 14;
+  string          query          = 15;
+}
+
+message Vulnerability {
+  string                    vulnerability_id     = 1;
+  string                    pkg_name             = 2;
+  string                    installed_version    = 3;
+  string                    fixed_version        = 4;
+  string                    title                = 5;
+  string                    description          = 6;
+  Severity                  severity             = 7;
+  repeated string           references           = 8;
+  PkgIdentifier             pkg_identifier       = 25;
+  Layer                     layer                = 10;
+  string                    severity_source      = 11;
+  map<string, CVSS>         cvss                 = 12;
+  repeated string           cwe_ids              = 13;
+  string                    primary_url          = 14;
+  google.protobuf.Timestamp published_date       = 15;
+  google.protobuf.Timestamp last_modified_date   = 16;
+  google.protobuf.Value     custom_advisory_data = 17;
+  google.protobuf.Value     custom_vuln_data     = 18;
+  repeated string           vendor_ids           = 19;
+  DataSource                data_source          = 20;
+  map<string, Severity>     vendor_severity      = 21;
+  string                    pkg_path             = 22;
+  string                    pkg_id               = 23;
+  int32                     status               = 24;
+}
+
+message DataSource {
+  string id   = 1;
+  string name = 2;
+  string url  = 3;
+}
+
+message Layer {
+  string digest     = 1;
+  string diff_id    = 2;
+  string created_by = 3;
+}
+
+message CauseMetadata {
+  string resource   = 1;
+  string provider   = 2;
+  string service    = 3;
+  int32  start_line = 4;
+  int32  end_line   = 5;
+  Code   code       = 6;
+}
+
+enum Severity {
+  UNKNOWN  = 0;
+  LOW      = 1;
+  MEDIUM   = 2;
+  HIGH     = 3;
+  CRITICAL = 4;
+}
+
+message CVSS {
+  string v2_vector = 1;
+  string v3_vector = 2;
+  double v2_score  = 3;
+  double v3_score  = 4;
+}
+
+message CustomResource {
+  string                type      = 1;
+  string                file_path = 2;
+  Layer                 layer     = 3;
+  google.protobuf.Value data      = 4;
+}
+
+message Line {
+  int32  number      = 1;
+  string content     = 2;
+  bool   is_cause    = 3;
+  string annotation  = 4;
+  bool   truncated   = 5;
+  string highlighted = 6;
+  bool   first_cause = 7;
+  bool   last_cause  = 8;
+}
+
+message Code {
+  repeated Line lines = 1;
+}
+
+message SecretFinding {
+  string rule_id    = 1;
+  string category   = 2;
+  string severity   = 3;
+  string title      = 4;
+  int32  start_line = 5;
+  int32  end_line   = 6;
+  Code   code       = 7;
+  string match      = 8;
+  Layer  layer      = 10;
+
+  reserved 9;  // deprecated 'deleted'
+}
+
+message Secret {
+  string                 filepath = 1;
+  repeated SecretFinding findings = 2;
+}
+
+message DetectedLicense {
+  Severity             severity   = 1;
+  LicenseCategory.Enum category   = 2;
+  string               pkg_name   = 3;
+  string               file_path  = 4;
+  string               name       = 5;
+  float                confidence = 6;
+  string               link       = 7;
+}
+
+message LicenseFile {
+  LicenseType.Enum        license_type = 1;
+  string                  file_path    = 2;
+  string                  pkg_name     = 3;
+  repeated LicenseFinding fingings     = 4;
+  Layer                   layer        = 5;
+}
+
+message LicenseFinding {
+  LicenseCategory.Enum category   = 1;
+  string               name       = 2;
+  float                confidence = 3;
+  string               link       = 4;
+}
+
+// Enumerations are wrapped with a message to improve the readability of
+// enumerations in generated code and avoid name conflicts.
+// https://github.com/golang/protobuf/issues/513
+message LicenseCategory {
+  enum Enum {
+    UNSPECIFIED  = 0;
+    FORBIDDEN    = 1;
+    RESTRICTED   = 2;
+    RECIPROCAL   = 3;
+    NOTICE       = 4;
+    PERMISSIVE   = 5;
+    UNENCUMBERED = 6;
+    UNKNOWN      = 7;
+  }
+}
+
+message LicenseType {
+  enum Enum {
+    UNSPECIFIED  = 0;
+    DPKG         = 1;
+    HEADER       = 2;
+    LICENSE_FILE = 3;
+  }
+}
\ No newline at end of file
diff --git a/src/main/proto/trivy/scanner/v1/service.proto b/src/main/proto/trivy/scanner/v1/service.proto
new file mode 100644
index 0000000000..f52e35357b
--- /dev/null
+++ b/src/main/proto/trivy/scanner/v1/service.proto
@@ -0,0 +1,53 @@
+syntax = "proto3";
+
+package trivy.scanner.v1;
+option  go_package = "github.com/aquasecurity/trivy/rpc/scanner;scanner";
+option java_multiple_files = true;
+option java_package = "trivy.proto.scanner.v1";
+
+import "trivy/common/service.proto";
+
+service Scanner {
+  rpc Scan(ScanRequest) returns (ScanResponse);
+}
+
+message ScanRequest {
+  string          target      = 1;  // image name or tar file path
+  string          artifact_id = 2;
+  repeated string blob_ids    = 3;
+  ScanOptions     options     = 4;
+}
+
+// cf.
+// https://stackoverflow.com/questions/38886789/protobuf3-how-to-describe-map-of-repeated-string
+message Licenses {
+  repeated string names = 1;
+}
+
+message ScanOptions {
+  repeated string       pkg_types          = 1;
+  repeated string       scanners           = 2;
+  map<string, Licenses> license_categories = 4;
+  bool                  include_dev_deps   = 5;
+  repeated string       pkg_relationships  = 6;
+
+  reserved 3;  // deleted 'list_all_packages'
+}
+
+message ScanResponse {
+  common.OS       os      = 1;
+  repeated Result results = 3;
+}
+
+// Result is the same as github.com/aquasecurity/trivy/pkg/report.Result
+message Result {
+  string   target                                            = 1;
+  repeated common.Vulnerability vulnerabilities              = 2;
+  repeated common.DetectedMisconfiguration misconfigurations = 4;
+  string class                                               = 6;
+  string   type                                              = 3;
+  repeated common.Package packages                           = 5;
+  repeated common.CustomResource custom_resources            = 7;
+  repeated common.SecretFinding secrets                      = 8;
+  repeated common.DetectedLicense licenses                   = 9;
+}
\ No newline at end of file
diff --git a/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskTest.java b/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskTest.java
index 9ef8abf723..9138cd1eac 100644
--- a/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskTest.java
+++ b/src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskTest.java
@@ -27,7 +27,7 @@
 import com.github.packageurl.PackageURL;
 import com.github.tomakehurst.wiremock.http.Fault;
 import com.github.tomakehurst.wiremock.junit.WireMockRule;
-import jakarta.json.Json;
+import com.google.protobuf.util.Timestamps;
 import org.assertj.core.api.SoftAssertions;
 import org.dependencytrack.PersistenceCapableTest;
 import org.dependencytrack.common.ManagedHttpClientFactory;
@@ -44,7 +44,14 @@
 import org.junit.BeforeClass;
 import org.junit.Rule;
 import org.junit.Test;
+import trivy.proto.common.CVSS;
+import trivy.proto.common.DataSource;
+import trivy.proto.common.PkgIdentifier;
+import trivy.proto.scanner.v1.Result;
+import trivy.proto.scanner.v1.ScanResponse;
 
+import jakarta.json.Json;
+import java.text.ParseException;
 import java.util.Date;
 import java.util.List;
 import java.util.Map;
@@ -54,7 +61,6 @@
 import static com.github.tomakehurst.wiremock.client.WireMock.any;
 import static com.github.tomakehurst.wiremock.client.WireMock.anyUrl;
 import static com.github.tomakehurst.wiremock.client.WireMock.equalTo;
-import static com.github.tomakehurst.wiremock.client.WireMock.equalToJson;
 import static com.github.tomakehurst.wiremock.client.WireMock.exactly;
 import static com.github.tomakehurst.wiremock.client.WireMock.post;
 import static com.github.tomakehurst.wiremock.client.WireMock.postRequestedFor;
@@ -161,14 +167,11 @@ public void testShouldAnalyzeWhenCacheIsNotCurrent() throws Exception {
     }
 
     @Test
-    public void testAnalyzeWithRetry() {
+    public void testAnalyzeWithRetry() throws ParseException {
         wireMock.stubFor(post(urlPathEqualTo("/twirp/trivy.cache.v1.Cache/PutBlob"))
                 .willReturn(aResponse()
                         .withStatus(200)
-                        .withHeader("Content-Type", "application/json")
-                        .withBody("""
-                                {}
-                                """)));
+                        .withHeader("Content-Type", "application/protobuf")));
 
         wireMock.stubFor(post(urlPathEqualTo("/twirp/trivy.scanner.v1.Scanner/Scan"))
                 .inScenario("scanRequestWithGatewayTimeout")
@@ -188,114 +191,79 @@ public void testAnalyzeWithRetry() {
                 .whenScenarioStateIs("thirdAttempt")
                 .willReturn(aResponse()
                         .withStatus(200)
-                        .withHeader("Content-Type", "application/json")
-                        .withBody("""
-                                {
-                                  "os": {
-                                    "family": "",
-                                    "name": "",
-                                    "eosl": false,
-                                    "extended": false
-                                  },
-                                  "results": [
-                                    {
-                                      "target": "Java",
-                                      "vulnerabilities": [
-                                        {
-                                          "vulnerability_id": "CVE-2022-40152",
-                                          "pkg_name": "com.fasterxml.woodstox:woodstox-core",
-                                          "installed_version": "5.0.0",
-                                          "fixed_version": "6.4.0, 5.4.0",
-                                          "title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks",
-                                          "description": "Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.",
-                                          "severity": "MEDIUM",
-                                          "references": [
-                                            "https://access.redhat.com/security/cve/CVE-2022-40152",
-                                            "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434",
-                                            "https://github.com/FasterXML/woodstox",
-                                            "https://github.com/FasterXML/woodstox/issues/157",
-                                            "https://github.com/FasterXML/woodstox/issues/160",
-                                            "https://github.com/FasterXML/woodstox/pull/159",
-                                            "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
-                                            "https://github.com/x-stream/xstream/issues/304",
-                                            "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
-                                            "https://www.cve.org/CVERecord?id=CVE-2022-40152"
-                                          ],
-                                          "pkg_identifier": {
-                                            "purl": "pkg:maven/com.fasterxml.woodstox/woodstox-core@5.0.0",
-                                            "bom_ref": ""
-                                          },
-                                          "layer": {
-                                            "digest": "",
-                                            "diff_id": "",
-                                            "created_by": ""
-                                          },
-                                          "severity_source": "ghsa",
-                                          "cvss": {
-                                            "ghsa": {
-                                              "v2_vector": "",
-                                              "v3_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
-                                              "v2_score": 0,
-                                              "v3_score": 6.5
-                                            },
-                                            "nvd": {
-                                              "v2_vector": "",
-                                              "v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-                                              "v2_score": 0,
-                                              "v3_score": 7.5
-                                            },
-                                            "redhat": {
-                                              "v2_vector": "",
-                                              "v3_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-                                              "v2_score": 0,
-                                              "v3_score": 7.5
-                                            }
-                                          },
-                                          "cwe_ids": [
-                                            "CWE-787",
-                                            "CWE-121"
-                                          ],
-                                          "primary_url": "https://avd.aquasec.com/nvd/cve-2022-40152",
-                                          "published_date": "2022-09-16T10:15:09.877Z",
-                                          "last_modified_date": "2023-02-09T01:36:03.637Z",
-                                          "custom_advisory_data": null,
-                                          "custom_vuln_data": null,
-                                          "vendor_ids": [],
-                                          "data_source": {
-                                            "id": "ghsa",
-                                            "name": "GitHub Security Advisory Maven",
-                                            "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
-                                          },
-                                          "vendor_severity": {
-                                            "amazon": "MEDIUM",
-                                            "ghsa": "MEDIUM",
-                                            "nvd": "HIGH",
-                                            "redhat": "MEDIUM"
-                                          },
-                                          "pkg_path": "",
-                                          "pkg_id": "",
-                                          "status": 3
-                                        }
-                                      ],
-                                      "misconfigurations": [],
-                                      "class": "lang-pkgs",
-                                      "type": "jar",
-                                      "packages": [],
-                                      "custom_resources": [],
-                                      "secrets": [],
-                                      "licenses": []
-                                    }
-                                  ]
-                                }
-                                """)));
+                        .withHeader("Content-Type", "application/protobuf")
+                        .withBody(ScanResponse.newBuilder()
+                                .addResults(Result.newBuilder()
+                                        .setClass_("lang-pkgs")
+                                        .setTarget("java")
+                                        .setType("jar")
+                                        .addVulnerabilities(trivy.proto.common.Vulnerability.newBuilder()
+                                                .setStatus(3)
+                                                .setVulnerabilityId("CVE-2022-40152")
+                                                .setPkgName("com.fasterxml.woodstox:woodstox-core")
+                                                .setPkgIdentifier(PkgIdentifier.newBuilder()
+                                                        .setPurl("pkg:maven/com.fasterxml.woodstox/woodstox-core@5.0.0")
+                                                        .build())
+                                                .setInstalledVersion("5.0.0")
+                                                .setFixedVersion("6.4.0, 5.4.0")
+                                                .setTitle("woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks")
+                                                .setDescription("""
+                                                        Those using Woodstox to parse XML data may be vulnerable to \
+                                                        Denial of Service attacks (DOS) if DTD support is enabled. \
+                                                        If the parser is running on user supplied input, an attacker \
+                                                        may supply content that causes the parser to crash by stackoverflow. \
+                                                        This effect may support a denial of service attack.""")
+                                                .setPublishedDate(Timestamps.parse("2022-09-16T10:15:09.877Z"))
+                                                .setLastModifiedDate(Timestamps.parse("2023-02-09T01:36:03.637Z"))
+                                                .setSeverity(trivy.proto.common.Severity.MEDIUM)
+                                                .setSeveritySource("ghsa")
+                                                .putAllVendorSeverity(Map.ofEntries(
+                                                        Map.entry("amazon", trivy.proto.common.Severity.MEDIUM),
+                                                        Map.entry("ghsa", trivy.proto.common.Severity.MEDIUM),
+                                                        Map.entry("nvd", trivy.proto.common.Severity.HIGH),
+                                                        Map.entry("redhat", trivy.proto.common.Severity.MEDIUM)
+                                                ))
+                                                .putAllCvss(Map.ofEntries(
+                                                        Map.entry("ghsa", CVSS.newBuilder()
+                                                                .setV3Vector("CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H")
+                                                                .setV3Score(6.5)
+                                                                .build()),
+                                                        Map.entry("nvd", CVSS.newBuilder()
+                                                                .setV3Vector("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H")
+                                                                .setV3Score(7.5)
+                                                                .build()),
+                                                        Map.entry("redhat", CVSS.newBuilder()
+                                                                .setV3Vector("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H")
+                                                                .setV3Score(7.5)
+                                                                .build())
+                                                ))
+                                                .addAllCweIds(List.of("CWE-787", "CWE-121"))
+                                                .addAllReferences(List.of(
+                                                        "https://access.redhat.com/security/cve/CVE-2022-40152",
+                                                        "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434",
+                                                        "https://github.com/FasterXML/woodstox",
+                                                        "https://github.com/FasterXML/woodstox/issues/157",
+                                                        "https://github.com/FasterXML/woodstox/issues/160",
+                                                        "https://github.com/FasterXML/woodstox/pull/159",
+                                                        "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4",
+                                                        "https://github.com/x-stream/xstream/issues/304",
+                                                        "https://nvd.nist.gov/vuln/detail/CVE-2022-40152",
+                                                        "https://www.cve.org/CVERecord?id=CVE-2022-40152"
+                                                ))
+                                                .setDataSource(DataSource.newBuilder()
+                                                        .setId("ghsa")
+                                                        .setName("GitHub Security Advisory Maven")
+                                                        .setUrl("https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven")
+                                                        .build())
+                                                .build())
+                                        .build())
+                                .build()
+                                .toByteArray())));
 
         wireMock.stubFor(post(urlPathEqualTo("/twirp/trivy.cache.v1.Cache/DeleteBlobs"))
                 .willReturn(aResponse()
                         .withStatus(200)
-                        .withHeader("Content-Type", "application/json")
-                        .withBody("""
-                                {}
-                                """)));
+                        .withHeader("Content-Type", "application/protobuf")));
 
         var project = new Project();
         project.setName("acme-app");
@@ -352,90 +320,21 @@ Those using Woodstox to parse XML data may be vulnerable to Denial of Service at
 
         wireMock.verify(postRequestedFor(urlPathEqualTo("/twirp/trivy.cache.v1.Cache/PutBlob"))
                 .withHeader("Trivy-Token", equalTo("token"))
-                .withHeader("Content-Type", equalTo("application/json"))
-                .withHeader("User-Agent", equalTo(ManagedHttpClientFactory.getUserAgent()))
-                .withRequestBody(equalToJson("""
-                        {
-                          "diff_id": "${json-unit.regex}(^sha256:[a-f0-9]{64}$)",
-                          "blob_info": {
-                            "schema_version": 2,
-                            "os": {
-                              "eosl": false,
-                              "extended": false
-                            },
-                            "applications": [
-                              {
-                                "type": "jar",
-                                "packages": [
-                                  {
-                                    "name": "com.fasterxml.woodstox:woodstox-core",
-                                    "version": "5.0.0",
-                                    "src_name": "com.fasterxml.woodstox:woodstox-core",
-                                    "src_version": "5.0.0",
-                                    "licenses": [],
-                                    "layer": {
-                                      "eosl": false,
-                                      "extended": false
-                                    }
-                                  }
-                                ],
-                                "libraries": [
-                                  {
-                                    "name": "com.fasterxml.woodstox:woodstox-core",
-                                    "version": "5.0.0",
-                                    "src_name": "com.fasterxml.woodstox:woodstox-core",
-                                    "src_version": "5.0.0",
-                                    "licenses": [],
-                                    "layer": {
-                                      "eosl": false,
-                                      "extended": false
-                                    }
-                                  }
-                                ]
-                              }
-                            ]
-                          }
-                        }
-                        """)));
+                .withHeader("Accept", equalTo("application/protobuf"))
+                .withHeader("Content-Type", equalTo("application/protobuf"))
+                .withHeader("User-Agent", equalTo(ManagedHttpClientFactory.getUserAgent())));
 
         wireMock.verify(exactly(3), postRequestedFor(urlPathEqualTo("/twirp/trivy.scanner.v1.Scanner/Scan"))
                 .withHeader("Trivy-Token", equalTo("token"))
-                .withHeader("Content-Type", equalTo("application/json"))
-                .withHeader("User-Agent", equalTo(ManagedHttpClientFactory.getUserAgent()))
-                .withRequestBody(equalToJson("""
-                        {
-                           "target": "${json-unit.regex}(^sha256:[a-f0-9]{64}$)",
-                           "artifact_id": "${json-unit.regex}(^sha256:[a-f0-9]{64}$)",
-                           "blob_ids": [
-                             "${json-unit.regex}(^sha256:[a-f0-9]{64}$)"
-                           ],
-                           "options": {
-                             "pkg_types": [
-                               "os",
-                               "library"
-                             ],
-                             "vuln_type": [
-                               "os",
-                               "library"
-                             ],
-                             "scanners": [
-                               "vuln"
-                             ]
-                           }
-                         }
-                        """)));
+                .withHeader("Accept", equalTo("application/protobuf"))
+                .withHeader("Content-Type", equalTo("application/protobuf"))
+                .withHeader("User-Agent", equalTo(ManagedHttpClientFactory.getUserAgent())));
 
         wireMock.verify(postRequestedFor(urlPathEqualTo("/twirp/trivy.cache.v1.Cache/DeleteBlobs"))
                 .withHeader("Trivy-Token", equalTo("token"))
-                .withHeader("Content-Type", equalTo("application/json"))
-                .withHeader("User-Agent", equalTo(ManagedHttpClientFactory.getUserAgent()))
-                .withRequestBody(equalToJson("""
-                        {
-                          "blob_ids": [
-                            "${json-unit.regex}(^sha256:[a-f0-9]{64}$)"
-                          ]
-                        }
-                        """)));
+                .withHeader("Accept", equalTo("application/protobuf"))
+                .withHeader("Content-Type", equalTo("application/protobuf"))
+                .withHeader("User-Agent", equalTo(ManagedHttpClientFactory.getUserAgent())));
     }
 
     @Test
@@ -443,46 +342,25 @@ public void testAnalyzeWithNoVulnerabilities() {
         wireMock.stubFor(post(urlPathEqualTo("/twirp/trivy.cache.v1.Cache/PutBlob"))
                 .willReturn(aResponse()
                         .withStatus(200)
-                        .withHeader("Content-Type", "application/json")
-                        .withBody("""
-                                {}
-                                """)));
+                        .withHeader("Content-Type", "application/protobuf")));
 
         wireMock.stubFor(post(urlPathEqualTo("/twirp/trivy.scanner.v1.Scanner/Scan"))
                 .willReturn(aResponse()
                         .withStatus(200)
-                        .withHeader("Content-Type", "application/json")
-                        .withBody("""
-                                {
-                                  "os": {
-                                    "family": "",
-                                    "name": "",
-                                    "eosl": false,
-                                    "extended": false
-                                  },
-                                  "results": [
-                                    {
-                                      "target": "Java",
-                                      "vulnerabilities": [],
-                                      "misconfigurations": [],
-                                      "class": "lang-pkgs",
-                                      "type": "jar",
-                                      "packages": [],
-                                      "custom_resources": [],
-                                      "secrets": [],
-                                      "licenses": []
-                                    }
-                                  ]
-                                }
-                                """)));
+                        .withHeader("Content-Type", "application/protobuf")
+                        .withBody(ScanResponse.newBuilder()
+                                .addResults(Result.newBuilder()
+                                        .setClass_("lang-pkgs")
+                                        .setTarget("java")
+                                        .setType("jar")
+                                        .build())
+                                .build()
+                                .toByteArray())));
 
         wireMock.stubFor(post(urlPathEqualTo("/twirp/trivy.cache.v1.Cache/DeleteBlobs"))
                 .willReturn(aResponse()
                         .withStatus(200)
-                        .withHeader("Content-Type", "application/json")
-                        .withBody("""
-                                {}
-                                """)));
+                        .withHeader("Content-Type", "application/json")));
 
         var project = new Project();
         project.setName("acme-app");