Determine preferred way to refer to CVEs, GHSAs and other vulnerability IDs #816
Description
In the new UI, one task I'm working on is providing succinct user instructions on the new landing page for both a vulnerable package search and a vulnerability search. This raises various questions, including how best to refer to what we currently refer to as aliases, e.g., a CVE or GHSA. Here's the text I'm currently using:
Search for comprehensive information for a VULCOID (VulnerableCode Database ID). (Only the first of these methods requires that the input be all uppercase.)
- Search for a specific VULCOID (e.g., "VULCOID-1").
- Search for all VULCOIDs that are associated with a specific CVE (e.g., "CVE-2009-3898") or GHSA (e.g., "GHSA-2qrg-x229-3v8q").
- Search for "CVE" or "GHSA" -- this will return all VULCOIDs that are associated with one or more CVEs or GHSAs, respectively.
And a screenshot:
I understand from colleagues' comments that the term alias is based on the term's use in the OSSF OSV schema, and that alternatively we could say, e.g., "Search for other vulnerability ids such as NVD's CVE or GitHub's GHSA." We also have a model named Alias and use that term in some of our tabular displays of vulnerability (VULCOID) data.
What is our preferred vocabulary for this group of vulnerability IDs?