Allow for data manipulation based on rules/configuration for the API output and tooling

[kurtseifried]

So in light of this posting:

https://daniel.haxx.se/blog/2023/03/06/nvd-makes-up-vulnerability-severity-levels

NVD, in their great wisdom, rescores the CVSS score for CVE Ids they import into their database! (It’s not clear how or why, but they seem to not do it for all issues).

NVD decides they know better than the project that set the severity level for the issue, enters their own answers in the CVSS calculator and eventually sets that new score on the CVEs they import.

NVD clearly thinks they need to do this and that they improve the state of the CVEs by this practice, but the end result is close to scaremongering.

It seems to me that one way to address this would be for example to look at a GSD entry, especially if it comes from a third party like CVE, NVD, GHSA, PyPa, etc., and then have the system understand who the authority is (e.g. for curl vulns, curl is the authority, not CVE/NVD/etc.) and if that authority places data in their namespace (e.g. a curl issue from CVE has a CVSS score, and curl adds a CVSS score in the "curl.se" in their namespace) we should treat the curl.se namespace CVSS score as preferred since it is more likely to be authoritative and correct. Please note that the NVD CVSS score would still be present, just not presented as the primary CVSS score when getting the data.

So basically when someone requests a GSD entry via the API that is based on a CVE entry about curl for example, the CVSS score in the gsd namespace that is presented as authoritative, would be taken from the curl.se namespace instead of the nvd.nist.gov namespace.

Thoughts and comments?