Missing details on NVD vulnerability

[pombredanne]

https://nvd.nist.gov/vuln/detail/CVE-2020-7965 is imported and has CPE but we do not relate that to any package and therefore it misses that pkg:pypi/webargs@5.5.2 is vulnerable.

[pombredanne]

See also for related details CycloneDX/cyclonedx-python#157

[sbs2001]

The only source for python vulnerabilities is github, and they don't have this vulnerability.

Inferring the purl solely from cpe is dangerous. But it did point us to the changelog.

This is good example of why need to parse changelogs.

[pombredanne]

Inferring the purl solely from cpe is dangerous. But it did point us to the changelog.
This is good example of why need to parse changelogs.

https://github.com/pyupio/changelogs may help as discussed in the past and this
https://github.com/pyupio/safety-db/blob/master/data/insecure_full.json#L20724
was likely derived from this changelog
https://github.com/marshmallow-code/webargs/blob/dev/CHANGELOG.rst#553-2020-01-28
Yet! I wonder if we should instead focus on curation by hand rather automation in these cases?

And what if we start our curated mapping of CPEs to purls? We can make a best effort to deal with changelogs separately alright