GHSA vs NVD ID

[andreeaButerchi]

Hello,

Since a few months now we're struggling with the fact that most of the vulnerabilities have both a GHSA ID and also a NVD ID (CVE-2024-12345 like) :(
We're using the API endpoint(api/v1/bom/cyclonedx/project/UUID?variant=withVulnerabilities) to download the SBOM with the vulnerabilities.
Then we're using the API endpoint (api/v1/vulnerability/project/UUID) to get the list of vulnerabilities for the project
And then the fun begings...We check the aliases and we try to keep as much as possible the NVD IDs...

We were wondering...as ODT has already all the data... Would it be possible to chose IF we want to favour NVD IDs or GHSA ones?
And based on this selection to be sure to receive within the SBOM all the data needed (to avoid calling a second endpoint and to try to match CVEs against GHSAs).
I assume the source is OSS Index...But on ODT side you have the info that one CVE is an alis for a GHSA... Thats' why I'm hoping you might be able to do something
To take a concrete example:
currently on spring-context we have one vulnerability:
{
"type": "framework",
"purl": "pkg:maven/org.springframework/[email protected]?type=jar",
"group": "org.springframework",
"name": "spring-context",
"version": "6.1.13",
"description": "Spring Context",
"bom-ref": "222f487f-bdf4-43e6-b387-39e0d3c529c5"
},

• one on spring-context 6.1.13 we have a low vulnerability: CVE-2024-38820, but nothing is found on OSS Index side

So ODT return the GHSA:
"id": "GHSA-4gc7-5j7h-4qph", "source": { "name": "GITHUB", "url": "https://github.com/advisories" }, "ratings": [ { "source": { "name": "GITHUB", "url": "https://github.com/advisories" }, "severity": "low", "method": "other" } ], "description": "The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.", "published": "2024-10-18T06:30:32Z", "updated": "2024-10-18T20:19:19Z", "affects": [ { "ref": "222f487f-bdf4-43e6-b387-39e0d3c529c5" } ], "bom-ref": "af56e602-714a-4580-8ef6-98e842a19bd8" }
However the /vulnerability/project endpoint:
"aliases": [
{
"cveId": "CVE-2024-38820",
"ghsaId": "GHSA-4gc7-5j7h-4qph",
"uuid": "10a6994d-7983-40b4-affa-9946e2efb88f"
}
],

The issue is that when OSS Index will end up by returning the CVE for spring-context 6.1.13, I assume the SBOM content will change and that the CVE-2024-38820 will be returned instead of the GHSA-4gc7-5j7h-4qph.
This is confusing for our devs as the ID changes...and it messes up with any strategy of keeping track of fixed vs new vulnerabilities on a project. As the swap between an NVD ID with its GHSA equivalent will be seen as one vulnerability fixed and one new -> while in fact nothing changed :(

Thank you very much for your help!
Best regards,
Andreea