Prefer CVEs for Vulnerability Data

[RTann]

CVEs are universally known. There are various other IDs out there (RHSA, DSA, USN, GHSA), but all of them refer back to one or more CVE(s). When it comes to extremely critical vulnerabilities, people tend to know the CVE number, and they will want to know if their containers are affected by CVE-XYZ. This can be hard to do when we provide people with RHSA or GHSA, as they may not know those IDs related back to the original CVE in question.

We should consider making the CVE the top-level name we output in vulnerability reports. I believe we have already discussed this for Linux distros, but something interesting is OSV.

OSV sometimes has repeat vulnerabilities: see https://osv.dev/vulnerability/GHSA-vfvj-3m3g-m532 and https://osv.dev/vulnerability/GO-2023-1623. I think we should show one of these as CVE-2023-27483, but it is hard to tell how to decide or what to do, as both entries have slightly different information about the same exact CVE.

[hdonnay]

I think there's work to be done for surfacing the well-known IDs better, but I don't think making "the" CVE the top-level name works for the reason noted: there's usually more than one.