Proposal: Add a Title field to Vulnerability for a brief human-readable CVE description #1601
Description
Currently, the Vulnerability struct is defined as follows:
type Vulnerability struct {
...
// the updater that discovered this vulnerability
Updater string `json:"updater"`
// the name of the vulnerability. for example, if the vulnerability exists in a CVE database
// this would be the unique CVE name such as CVE-2017-11722
Name string `json:"name"`
...
}Problem
The Name field is intended to store the unique CVE identifier (e.g., CVE-2022-36190). However, depending on the updater, the actual mapping can differ:
-
Ubuntu Updater
-
Nameis mapped tometadata>title. -
This title often contains more than just the CVE ID — it’s closer to a descriptive title.
-
Example (
metadata>title):<definition class="vulnerability" id="oval:com.ubuntu.focal:def:2022361900000000" version="1"> <metadata> <title>CVE-2022-36190 on Ubuntu 20.04 LTS (focal) - medium.</title> <description>GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerability in function gf_isom_dovi_config_get. This vulnerability was fixed in commit fef6242.</description> ... </metadata> </definition>
This includes both the CVE ID and a brief context.
-
-
RHEL (VEX, etc.) Updater
-
Nameis mapped todocument.tracking.id, which is purely the CVE ID (ideal forName). -
document.title, which contains the descriptive title, is discarded. -
Example (
document.title):{ "document": { ... "title": "kernel: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices", "tracking": { "current_release_date": "2025-05-21T01:07:13+00:00", "generator": { "date": "2025-05-21T01:07:13+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.5.1" } }, "id": "CVE-2024-53197", ... } ... } }
-
Proposal
To better capture human-readable vulnerability descriptions, I propose:
- Add a
Titlefield to theVulnerabilitystruct.
type Vulnerability struct {
...
// the updater that discovered this vulnerability
Updater string `json:"updater"`
// the name of the vulnerability. for example if the vulnerability exists in a CVE database this
// would the unique CVE name such as CVE-2017-11722
Name string `json:"name"`
Title string `json:"title"`
...
}-
Updater-specific mapping:
- RHEL: map
document.title→Vulnerability.Title. - Ubuntu: map
metadata>title→Vulnerability.Title, but extract the CVE ID from it and set that toName.
- RHEL: map
Benefits
- Preserves both the CVE ID (
Name) and a short human-readable description (Title). - Improves API usability for displaying vulnerability lists without requiring clients to parse upstream data formats.
- Reduces ambiguity in
Namefor Ubuntu-sourced vulnerabilities.