Please add the C ecosystem to GHSA

[eslerm]

Adding the C ecosystem would dramatically help organize CVE communication.

For example, the OpenJPEG project has many CVEs from Chromium fuzzing. It is difficult to understand if certain CVEs have been addressed from this projects commit message history and which commits belong to a patch set of a specific CVEs. Many commits which address specific GitHub Issues are not linked. Most GitHub issues do not mention CVEs they address. Some vulnerabilities relate to multiple GitHub issues. An issue could be made for each CVE to tie everything together, but using GHSA would be a vastly better.

By extending GHSA to the C ecosystem maintainers and community members will have dramatically more tools to organize and resolve CVEs.

[KateCatlin]

Thanks @eslerm, appreciate you voicing this. We'd really like to expand to supporting C/C++ so I'm going to keep this issue open for others to chime in.

While committing to curating all C/C++ advisories is further out, we're considering adding more options to the GHSA form for folks to select from even if we don't curate them. One proposal on the table is to add all PURL types as options to select. That would mean C specifically wouldn't be available, but conan would.

Would that address the problem you're trying to solve or not really?

[eslerm]

Thank you @KateCatlin! Adding purl-spec sounds like a wonderful idea!

Between purl's support of distros, package managers, and version control systems, most software can be tracked. And adding purl would be especially useful for generating SBOMs.

[KateCatlin]

Great, thanks @eslerm.

I'll circle back to update this Issue when that gets released.