Package: security-tracker Severity: wishlist These days the scopes of CNAs are usually narrow and scoped to a specific vendor. We should leverage this for pre-processing incoming data and to reduce toil.
We can do this by extending the "automatic update" job to automatically annotate CVEs assigned by a given CNA as NFU entries. As an example all CVEs coming from the "Wordfence" CNA should be automatically added as "NOT-FOR-US: WordPress plugin". This avoids cumbersome manual triage (and review would still happen on the commited entries). Same for many commercial software vendors, e.g. a company like SAP which has no ties to FLOSS everything coming from their CNA should automatically be added as "NOT-FOR-US: SAP" without human interaction. We should only extend this on a case-by-case basis. E.g. Oracle has a lot of propietary software, but they also maintain mysql, Java and virtualbox, so they need manual review still. Cheers, Moritz