Efficient way to get the vulnerability details by source

[nekhtan]

Hello,

End goal: replace unassigned severity of an NVD vulnerability by the severity of its GHSA alias (if any).

To achieve that, I fetch all the vulnerabilities of a project using /v1/vulnerability/project/{uuid}.
This endpoints gives me the vulnerabilities and their aliases. Some of the aliases are also present in the response so I can get the severity directly, but some are not present (bug ?). For these missing aliases, I use the v1/vulnerability/source/{source}/vuln/{id} endpoint (I can't use /v1/vulnerability/{uuid} because I don't know the UUID of the alias). And here it gets messy: this endpoint by source returns ALL the components affected by the vulnerability. Hence the response might be reaaally big (I'm speaking tens of MB).

The question is: is there another way of retrieving the vulnerability details without knowing its DB's UUID and without retrieving a lot of extra data ? I get that this endpoint is designed primarily for the UI, but even there it looks a bit too much as the page takes quite a while to load (could be paged or unitary/async).

Side-question: would it be ok to add a parameter to offer the choice to retrieve or not the affected components ?

Thanks in advance for your insight !

[nscuro]

This also came up here: #4007

Quoting myself from that discussion:

I'll check this, the endpoint should definitely not return all affected components since I agree that does not scale. Will check that too.

[andreeaButerchi]

Hello @nscuro !

Please don't hesitate to let us know if any progress is made ;) We're looking forward for a more lightway solution!
Thank you very much for your help!
Andreea