Raphaël Vinot

that's nice! but yes, vulnogram is the way to go *if* the format we use is the one used by CVE. This format is a lot and not necessarily super...

I'm happy with you implementing a PR as soon as possible, and if possible merging it incrementally so we don't have a monster PR to review in a month or...

Sounds good. I'm not going to teach you anything there, but my policy in general is to implement the absolute strict minimum that solves our current practical usecase, while keeping...

Follow up question on that: how do we handle vulnerabilities that only apply if multiple products are involved? Example: CVE-2008-0732 ```json { "cve": { "id": "CVE-2008-0732", "sourceIdentifier": "[email protected]", "published": "2008-02-12T21:00:00.000",...

We can do something like that, but I really fear there will be a lot of improper guesses (the CPE refs are super weak). As long as we have a...

so cvrf is old csaf: https://oasis-open.github.io/csaf-documentation/specification.html And a practical open question: do we render the raw document on the website? If yes, how? And how do we generate the dumps?...

Work in progress on that (branch `framework`): * Imports all CVEs individually straight into kvrocks (it takes 15 min and uses ~3G of ram to load the complete dataset) *...

Some of the UI is implemented (search/list recent entries). Now let's discuss the system to create a new vulnerability. This is the form to report an advisory via github: ...

As found by @adulau , we should use this interface for edit/submit: https://github.com/Vulnogram/Vulnogram And push it to vulnerability-lookup instead of CVE for the ones created by our constituants

Open question regarding [CVEList](https://github.com/CVEProject/cvelistV5): it is more or less a duplicate of the NVD database, and it is not really possible to treat it as a new source. For now,...