Side note: I wish there was an accepted industry-wide, machine-readable format for security advisories. It's kind of a pain that every project out there defines their own way, ranging from atrocious blog posts:
Yes, but which open source project publishes CPEs for their vulnerability information? :-) Plus, an important part of every security advisory is specifying which versions are affected by a particular vulnerability versus which contain the fix and are thus no longer affected.
https://chromereleases.googleblog.com/2020/02/stable-channel...
to plain text files:
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.t...
or custom XMLs:
https://www.openssl.org/news/vulnerabilities.xml
The CVRF standard promised to be this but is largely unused since it's fairly rigid and requires a lot of investment to get it right.
Even GitHub's advisories are fairly limited in the metadata they provide and only accessible through the GraphQL API.