diff --git a/pkg/fanal/types/artifact.go b/pkg/fanal/types/artifact.go
index cab71572a1e7..cc008ad53943 100644
--- a/pkg/fanal/types/artifact.go
+++ b/pkg/fanal/types/artifact.go
@@ -82,9 +82,15 @@ type Package struct {
 
 	Modularitylabel string     `json:",omitempty"` // only for Red Hat based distributions
 	BuildInfo       *BuildInfo `json:",omitempty"` // only for Red Hat
-
-	Ref      string `json:",omitempty"` // identifier which can be used to reference the component elsewhere
-	Indirect bool   `json:",omitempty"` // this package is direct dependency of the project or not
+	Indirect        bool       `json:",omitempty"` // this package is direct dependency of the project or not
+
+	// TO BE DEPRECATED - use Identifier instead
+	// Only used when scanning SBOM and contains the reference ID used in it.
+	// It could be PURL, UUID, etc.
+	// e.g.
+	//    - pkg:npm/acme/component@1.0.0
+	//    - b2a46a4b-8367-4bae-9820-95557cfe03a8
+	Ref string `json:",omitempty"`
 
 	// Dependencies of this package
 	// Note:　it may have interdependencies, which may lead to infinite loops.
diff --git a/pkg/types/vulnerability.go b/pkg/types/vulnerability.go
index 80a6119ad216..4727d5009083 100644
--- a/pkg/types/vulnerability.go
+++ b/pkg/types/vulnerability.go
@@ -20,12 +20,12 @@ type DetectedVulnerability struct {
 	SeveritySource   types.SourceID       `json:",omitempty"`
 	PrimaryURL       string               `json:",omitempty"`
 
-	// PkgRef is populated only when scanning SBOM and contains the reference ID used in the SBOM.
+	// TO BE DEPRECATED - use PkgIdentifier instead
+	// Only used when scanning SBOM and contains the reference ID used in it.
 	// It could be PURL, UUID, etc.
 	// e.g.
 	//    - pkg:npm/acme/component@1.0.0
 	//    - b2a46a4b-8367-4bae-9820-95557cfe03a8
-	// To be deprecated now we have PkgIdentifier
 	PkgRef string `json:",omitempty"`
 
 	// DataSource holds where the advisory comes from