Proposal: Add a Title field to Vulnerability for a brief human-readable CVE description

[zandwang]

Currently, the Vulnerability struct is defined as follows:

type Vulnerability struct {
    ...
    // the updater that discovered this vulnerability
    Updater string `json:"updater"`
    // the name of the vulnerability. for example, if the vulnerability exists in a CVE database
    // this would be the unique CVE name such as CVE-2017-11722
    Name string `json:"name"`
    ...
}

Problem

The Name field is intended to store the unique CVE identifier (e.g., CVE-2022-36190). However, depending on the updater, the actual mapping can differ:

• Ubuntu Updater

  • Name is mapped to metadata>title.

  • This title often contains more than just the CVE ID — it’s closer to a descriptive title.

  • Example (metadata>title):

    <definition class="vulnerability" id="oval:com.ubuntu.focal:def:2022361900000000" version="1">
      <metadata>
        <title>CVE-2022-36190 on Ubuntu 20.04 LTS (focal) - medium.</title>
        <description>GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. This vulnerability was fixed in commit fef6242.</description>
       ... 
      </metadata>
    </definition>

    This includes both the CVE ID and a brief context.

• RHEL (VEX, etc.) Updater

  • Name is mapped to document.tracking.id, which is purely the CVE ID (ideal for Name).

  • document.title, which contains the descriptive title, is discarded.

  • Example (document.title):

    {
      "document": {
      ...
        "title": "kernel: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices",
        "tracking": {
          "current_release_date": "2025-05-21T01:07:13+00:00",
          "generator": {
            "date": "2025-05-21T01:07:13+00:00",
            "engine": {
              "name": "Red Hat SDEngine",
              "version": "4.5.1"
            }
          },
          "id": "CVE-2024-53197",
        ...
        }
        ...
      }
    }

Proposal

To better capture human-readable vulnerability descriptions, I propose:

1. Add a Title field to the Vulnerability struct.

type Vulnerability struct {
  ...
  // the updater that discovered this vulnerability
    Updater string `json:"updater"`
    // the name of the vulnerability. for example if the vulnerability exists in a CVE database this
    // would the unique CVE name such as CVE-2017-11722
    Name string `json:"name"`
    Title string `json:"title"`
    ...
}

2. Updater-specific mapping:

   • RHEL: map document.title → Vulnerability.Title.
   • Ubuntu: map metadata>title → Vulnerability.Title, but extract the CVE ID from it and set that to Name.

Benefits

• Preserves both the CVE ID (Name) and a short human-readable description (Title).
• Improves API usability for displaying vulnerability lists without requiring clients to parse upstream data formats.
• Reduces ambiguity in Name for Ubuntu-sourced vulnerabilities.

[hdonnay]

I'm disinclined to do this because defining a Name field to be a CVE is

1. IMO a bad name for that
2. prevents non-CVE advisories

[zandwang]

Thanks for the clarification, how about Title? my core proposal is actually about preserving the RHEL document.title.