Provide all security advisories in OpenSSF Vulnerability format for dependency tracking
>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #3410338. --> Reported by: [dmundra](https://www.drupal.org/user/866436) >>> <h3 id="summary-problem-motivation">Problem/Motivation</h3> <p>Organizations increasingly use tools like SBOMS, `osv-scanner`, and Dependency Track to track application packages (composer, node, server, and so on). When the Drupal Security Team releases a core security update, those get a Common Vulnerabilities and Exposures (CVE) identifier and are added to CVE databases like NIST (e.g. <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-5256">https://nvd.nist.gov/vuln/detail/CVE-2023-5256</a>) and are added to packagist. Those then appear appropriately in DependencyTrack to let us know we have to update Drupal core. The request is to also create appropriate tooling/data to support contributed projects.</p> <p>Perhaps contributed project security advisories could be provided in an <a href="https://ossf.github.io/osv-schema/">OpenSSF Vulnerability format</a> in addition to current formats? If that is setup then those could be added to the <a href="https://osv.dev/">OSV</a> database and make it to DependencyTrack through that process.</p> <p>A set of code and example CVES that reformat Drupal's advisories from API into OpenSSF exists in the <a href="https://github.com/ackama/drupal-advisory-database">ackama drupal-advisory-database github repo</a>. However, there are some items that need to be determined to make this more operational:</p> <ol> <li>getting an appropriate ecosystem into the spec</li> <li>confirming how tools can reliably determine that ecosystem from the composer.lock</li> <li>getting an id prefix for advisories into the spec</li> </ol> <p>Confirm appropriate governance on the Drupal side.<br> Migrate the code / concepts to that governance.</p> > Related issue: [Issue #2966246](https://www.drupal.org/node/2966246)
issue