Enhancement request: Allow managing vulnerabilities in the product itself

[ghsa-retrieval]

Is your enhancement request related to a problem? Please describe.
Products may have vulnerabilities in their own source code, not just in their dependencies. The Cyber Resilience Act mandates that companies selling products on the EU market will have to perform vulnerability management, coordinated vulnerability disclosure and provide public security advisories for when they have fixed vulnerabilities in their products, regardless whether that is in their dependencies or the product itself.

Currently one would need a separate solution to manage vulnerabilities in the product itself. Thus the there would be a split between vulnerability management for third-party dependencies in DejaCode and vulnerabilities in the product on a different platform. More likely the vulnerability management feature in DejaCode would not get used because of this split.

What are the benefits of the requested enhancement?
It would allow to make DejaCode the one-stop-shop for license compliance and vulnerability management. The current feature is already very nice, but unfortunately does not cover the complete needs for vulnerability management. If extended it could really be great for fulfilling compliance requirements. Exporting CSAF VEX this way would be especially useful for providing machine readable information to users/customers.

Describe the solution you would like
The vulnerability management should be extended to allow the creation of own vulnerability entries that are associated with the product, rather than a package. This could perhaps be a separate section or tab. The general workflow can be the same as for vulnerabilities found in packages. Creation would require to provide all relevant information that would otherwise be pulled from VulnerableCode, but cannot be done there as this is company internal information at that point in time.

Additional notes
n.a.