I would love to see something like this, but sadly there isn't a nice automated way to match a CVE id to a given package. I'd gladly hear ideas on how to do this.
NVD try to do this when they create their entries based on CVE (usually they manage this before the CVE site gets updated, but after the CVENEW mails come out). They map each vuln to a product dictionary which we could map to package name, but it'll miss those cases where a vulnerability gets reported for something that affects multiple products (like some flaw being labelled as an Apple flaw when in fact it's in xpdf), or where things affect multiple products (a xpdf issue affects many open source projects).
example from http://nvd.nist.gov/download/nvdcve-recent.xml <vuln_soft> <prod name="slocate" vendor="slocate"> <vers num="3.1"/> </prod> </vuln_soft> Mark -- Fedora-security-list mailing list Fedora-security-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-security-list
