Triage CVEs using automatic suggestions

[RaitoBezarius]

As a security team member, I may have a lot of untriaged CVEs, but a lot of them are noise.
I would like to focus on anything that could be related to Nixpkgs. For this, I need automatic suggestions based on weighted correlation analysis between CVEs and Nixpkgs metadata.

This is a record linkage problem: https://en.wikipedia.org/wiki/Record_linkage.

• Full text search and manually link CVEs and packages into a Nixpkgs security record

  • Add manual triage view #167

• Bulk triaging of automatic suggestions #178

• Search for particular CVEs #177

  For example, given a CVE on a software A on version range [R1, R2], I would like to have a list of candidates from Nixpkgs that can match this CVE and quickly triage if this is a non-problem, or if we are affected and on which channels.

• Automatic updates and suggestions based on GitHub events #6

• Use machine learning to improve automatic suggestions based on historic triage data #216

[fricklerhandwerk]

Closing this -- what now amounts to a -- tracking issue in favor of milestones that chunk up the completion of the workflows.