Dear Debian Security Team, My name is Yunhe Yang, and I am a Ph.D. student specializing in Computer Security. I am writing to discuss some observations and questions about the data on the Debian security tracker webpage and the downloadable JSON file for local database use.
In my research, I have been utilizing data from the Debian security tracker, which has been incredibly valuable. However, I have noticed some significant differences between the information available on the webpage and the data provided in the downloadable JSON file: Limited Information in JSON: The downloadable JSON file includes only the package name, ID, and a brief description of each vulnerability. In contrast, the webpage provides a much richer data set, including sources, release information, version, fixed version, and status. Advantages and Disadvantages: While the webpage's comprehensive source collection is highly beneficial for comparing different descriptions of the same vulnerability, the JSON file's limited information significantly reduces its utility. The absence of crucial details like fixed versions and status in the JSON file makes it less useful than the webpage data. Given the importance of detailed and comprehensive data for security research and analysis, I would like to know if there are plans to include more detailed information in the JSON file, similar to what is available on the webpage. This enhancement would greatly aid researchers like myself in conducting thorough and efficient analyses. I understand that maintaining and updating security databases requires significant effort, and I appreciate the valuable resources that Debian provides to the community. Any other information or insights you could give would be very helpful. Thank you for your time and consideration. I'm looking forward to any guidance or information you can give me. Best Regards, Yunhe Yang
