Create community curation model for VulnerableCode

[sbs2001]

Not all data we import is correct, human error may cause may cause declaring non-vulnerable packages vulnerable. Sometimes packages are related to wrong vulnerabilities, this is where community curation comes in.

The idea being, at some point in future an instance of VulnerableCode will be deployed, users would be able to view and make corrections to the data we are collecting. Something like clearlydefined.io except instead of licenses we will enable curating vulnerabilities.

Things I haven't figured out :

Architecture: We can continue with the django monolith, and add the curation just as another view in vulnerabilities app. Or we could decouple the curation model, and create it using some CRUD js app and consume from vulnerablecode's API.

Tech Stack: Is a JS framework overkill ? I think we will be fine using Django + vanilla/jquery js . If we go the CRUD route, then something like Vue, React might be the way to go.

[DennisClark]

I think that we have addressed the fundamental issue of evaluating vulnerability data quality in the implementation of Weighted Severity, Exploitability, and Risk calculations, which are implemented in the current release. There is, of course, always room for refinement and improvements to this process, but I think it is essential, given the enormous amount of constantly changing data, that curation activities be completely automated. Closing this issue.