Comment 5 for bug 2032871

Thanks for sharing, we are looking to capture just the CVEs and impacted versions + patches available if any.

The OVAL data has far more metadata than we need, and all of its properties would need to be sanitized to make them generic enough, otherwise we would end up storing multiple entries in our advisory cache for the exact same item, just different release which we want to avoid. The CVE files you have in ubuntu-cve-tracker are perfect for this requirement. We don't even need to know the release beforehand since the CVE file will organically include new ones.