Question: Deciding if a CVE number is verified as real?

[jasnow]

What should our (ruby-advisory-db) policy be about deciding if a CVE number is verified as real?

Example

• CVE-2016-1000305 (no GHSA advisory) in connection with PR# 1026/ISS guard-livereload security vulnerability #289. This question applies to most of the pre-2022 ruby-advisory-db issues.

How would you improve this?

 * Normally if I need to check out to see if a CVE number is real, I google and 
    see if it shows up on one of these web sites:
   * [https://nvd.nist.gov/vuln/search or
   * https://www.cve.org/CVERecord, 
   * https://www.cvedetails.com/index.php,
   * https://cve.report].

If so, then I fill good using it in the ruby-advisory-db "cve:"
field and add it to the "related:"/"url:" field.

Other sources include:
 * CVE number in http://blog.rubygems.org blog
 * Project-specific comments, commits, issues, PRs, etc.
 * CVE number on https://github.com/advisories or https://advisories.gitlab.com
 * Advisory aggregator URLs (such as snyt, ubuntu, redhat, suse, debian, archlinux, puppet, or 
   https://www.whitesourcesoftware.com/vulnerability-database)

[jasnow]

After more research, I created PR #1099.