Is there a reliable, public registry (preferably in the form of an API) that records known security vulnerabilities in open source software?
Why would anyone want this?
I'm trying to emulate github's dependabot on a local server. It simply scans all repositories and checks dependencies for updates, and alerts the maintainer, but I have no way to tell them of the update's severity. Most updates are completely innocuous (and not urgent at all). Yet a small portion are extremely serious and should be actioned immediately.
Ultimately, I would like to find a programatic way of determining which open source library updates are regular updates vs which ones contain vital security updates (i.e. without a human having to research each one).
For reference, here's an example of what dependabot does (note the right hand side where it shows the severity of updates)