Hello GitHub Advisory Database Team,
First, thank you for maintaining and continuously improving the GitHub Advisory Database. It has become an invaluable resource for the open-source ecosystem.
I would like to propose adding the MITRE CVE List V5 repository as an additional advisory source:
https://github.com/CVEProject/cvelistV5
Currently, the GitHub Advisory Database ingests advisories from sources such as:
- Security advisories reported on GitHub
- National Vulnerability Database (NVD)
- npm Security Advisories Database
- FriendsOfPHP Database
- Go Vulnerability Database
- Python Packaging Advisory Database
- Ruby Advisory Database
- RustSec Advisory Database
- Community contributions
The MITRE CVE List V5 repository contains the authoritative CNA-submitted CVE records and often includes rich product metadata before or independent of downstream enrichment. Many records already contain ecosystem-specific package information that could potentially be mapped directly into GitHub Advisory Database package ecosystems.
For example, Apache-related CVEs frequently include package references that align with Maven coordinates, making them suitable candidates for automated package matching and advisory enrichment.
Potential benefits include:
- Faster availability of newly published CVEs.
- Access to authoritative CNA-provided metadata.
- Improved package ecosystem coverage.
- Additional package mappings that may not yet be present in other advisory feeds.
- Better support for dependency and supply-chain vulnerability detection.
I would be interested in helping evaluate feasibility, mapping strategies, and implementation approaches for integrating CVE List V5 data into the GitHub Advisory Database pipeline.
Thank you for considering this suggestion.
Hello GitHub Advisory Database Team,
First, thank you for maintaining and continuously improving the GitHub Advisory Database. It has become an invaluable resource for the open-source ecosystem.
I would like to propose adding the MITRE CVE List V5 repository as an additional advisory source:
https://github.com/CVEProject/cvelistV5
Currently, the GitHub Advisory Database ingests advisories from sources such as:
The MITRE CVE List V5 repository contains the authoritative CNA-submitted CVE records and often includes rich product metadata before or independent of downstream enrichment. Many records already contain ecosystem-specific package information that could potentially be mapped directly into GitHub Advisory Database package ecosystems.
For example, Apache-related CVEs frequently include package references that align with Maven coordinates, making them suitable candidates for automated package matching and advisory enrichment.
Potential benefits include:
I would be interested in helping evaluate feasibility, mapping strategies, and implementation approaches for integrating CVE List V5 data into the GitHub Advisory Database pipeline.
Thank you for considering this suggestion.