this is part of a work in progress to deal with more security identifiers than CVEs, like GNUTLS-SA and XSA