Consider adding a vulnerability id for non CVEs
sbs2001 opened this issue · 2 comments
This repository has many vulnerabilities which didn't get their own CVE id, such vulnerabilities can't be referenced across projects which consume this data.
Almost every ecosystem has their own vulnerability id, for example rust advisories have ids which follow the format RUSTSEC-XXXX-XXXX
, red hat has RHSAs
etc .
It will be extremely valuable for us at VulnerableCode and other similar projects as we could then simply consume the advisories and reference it with what you wish instead of assigning id's internally and creating confusion.
You can now easily get a DWF (Distributed Weakness Filing Projject) CVE ID via https://iwantacve.org/ (which actually ultimately feeds into end ends up at https://github.com/distributedweaknessfiling/). Also if you want to talk about an API/scripting to mass assign please feel free to file an issue in https://github.com/distributedweaknessfiling/dwf-workflow so we can figure out the best way to support you.
That's not our responsibility. If projects want to get some CVEs, they can through Github very easily nowadays. Let's close as there is nothing we can do. We are mainly checking that everything looks good before merging, nothing more as we don't have enough resources to get more done. Thank you for the suggestion.