Provide all security advisories in OpenSSF Vulnerability format for dependency tracking
>>> [!note] Migrated issue
<!-- Drupal.org comment -->
<!-- Migrated from issue #3410338. -->
Reported by: [dmundra](https://www.drupal.org/user/866436)
>>>
<h3 id="summary-problem-motivation">Problem/Motivation</h3>
<p>Organizations increasingly use tools like SBOMS, `osv-scanner`, and Dependency Track to track application packages (composer, node, server, and so on). When the Drupal Security Team releases a core security update, those get a Common Vulnerabilities and Exposures (CVE) identifier and are added to CVE databases like NIST (e.g. <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-5256">https://nvd.nist.gov/vuln/detail/CVE-2023-5256</a>) and are added to packagist. Those then appear appropriately in DependencyTrack to let us know we have to update Drupal core. The request is to also create appropriate tooling/data to support contributed projects.</p>
<p>Perhaps contributed project security advisories could be provided in an <a href="https://ossf.github.io/osv-schema/">OpenSSF Vulnerability format</a> in addition to current formats? If that is setup then those could be added to the <a href="https://osv.dev/">OSV</a> database and make it to DependencyTrack through that process.</p>
<p>A set of code and example CVES that reformat Drupal's advisories from API into OpenSSF exists in the <a href="https://github.com/ackama/drupal-advisory-database">ackama drupal-advisory-database github repo</a>. However, there are some items that need to be determined to make this more operational:</p>
<ol>
<li>getting an appropriate ecosystem into the spec</li>
<li>confirming how tools can reliably determine that ecosystem from the composer.lock</li>
<li>getting an id prefix for advisories into the spec</li>
</ol>
<p>Confirm appropriate governance on the Drupal side.<br>
Migrate the code / concepts to that governance.</p>
> Related issue: [Issue #2966246](https://www.drupal.org/node/2966246)
issue