Ambiguous Prospector vulnerability information pulling mechanism

[JafarAkhondali]

Looks like the use_nvd option is never used in the source code:

project-kb/prospector/datamodel/advisory.py

Line 319 in 68f4a96

use_nvd: bool = True,

And then the nvd is only used in the backend router?
Is there anyway to feed a raw statement or multiple descriptions (either structured or unstructured) to Prospector so it doesn't request them online, and retrieve fixed commits?

[copernico]

Hi, I guess your are right, this part of the code was left in an inconsistent state after some changes that were implemented in the past few months.

The original plan (which is still valid, although it is not reflected in the code currently) is to allow the user to provide a description instead of fetching it from the NVD. Because we seldom used this feature in our own work, this was sort of forgotten.

Unfortunately I'm quite busy at the moment on other parts of the project, especially finalising some empirical evaluation whose side- effect will hopefully be a few hundred more vulnerability statements, so I can't commit to providing a solution in the short term.
However, if you would like to contribute by fixing this broken feature, that would be very appreciated (and I could support by providing some guidance, if needed).