Support for alternative CVE identifiers
Xen has XSA-XXX and other projects might have their own internal numbering.
Should we add support for these ? it will make some checks impossible, like checking if CVE identifiers are missing their CVE- prefix