GHSA descriptions only have the advisory title

[cjnosal]

What happened:
A spring-boot project directory was scanned and GHSA-36p3-wjmg-h94x was detected. The description in the cyclonedx report is very terse: Remote Code Execution in Spring Framework

What you expected to happen:
The description should reflect the content available on the advisory page (e.g. Impact, Workarounds)

How to reproduce it (as minimally and precisely as possible):

git clone https://github.com/spring-projects/spring-petclinic
grype -o cyclonedx ./spring-petclinic -o ./spring-petclinic/report.cdx

Anything else we need to know?:
The associated CVE-2022-22965 has a better description in the DB.
In airgapped environments the reference links can't be followed easily so a verbose description in the DB can avoid disrupting triage flow.

sqlite3 ~/.cache/grype/db/5/vulnerability.db 

sqlite> select description from vulnerability_metadata where id = "GHSA-36p3-wjmg-h94x" limit 1;
Remote Code Execution in Spring Framework

sqlite> select description from vulnerability_metadata where id = "CVE-2022-22965" limit 1;
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Environment:

• Output of grype version: 0.55.0

[wagoodman]

I think the best way forward for this is to use the --by-cve option to reorient the results in terms of CVEs (and thus the descriptions as well). That being said, I'm not seeing the results get reoriented for this GHSA for your example. It might be because the CVE is undergoing reanalysis, but I'm not certain. More digging is needed.