EUVD support in GHSA #7285
Description
Hello,
Yesterday I have commented an old issue, but I think it is better to open a new one :) (#5745)
According to the CRA (Cyber Resilience Act) requirements, generating an SBOM — and therefore performing vulnerability scanning — will become mandatory by the end of the year (September 2026 at the time of writing). As far as I understand, Dependabot relies on the GHSA database to detect vulnerabilities.
It would be highly valuable for European developers if GitHub could also support the EUVD, since the CRA mandates the use of EUVD instead of CVE. GitHub + GHSA + Dependabot already form a strong native tooling stack for automated vulnerability scanning, without requiring external tools — most of which currently do not support EUVD either.
The commonly mentioned issue is that the EUVD API is not well documented and currently only exposes CVE-based entries, but the database is expected to be populated with EUVD identifiers once the CRA becomes applicable. So yes, today EUVD is a « copy » of CVE IDs but later EUVD IDs would be unique and not in the CVE database.
I’m commenting this ticket to ask for your thoughts regarding potential EUVD support.
Is this something you are considering, and if so, is it planned before September 2026?
Thanks in advance.