[photon] Add ADVISORY references to VMWare Photon

[captn3m0]

Photon OS is a Linux based, open source, security-hardened, enterprise grade appliance operating system that is purpose built for Cloud and Edge applications.

Photon Advisories are published at https://github.com/vmware/photon/wiki/Security-Advisories There are 4 major versions of Photon

Photon 1 and 2 are out of support, so no further changes are expected: https://blogs.vmware.com/vsphere/2022/01/photon-1-x-end-of-support-announcement.html

This is a one-time Pull Request for now, that adds Photon Advisories to the references section. It goes down the list to find a suitable place to add the links:

1. In the gsd.references section as an ADVISORY url
2. GSD.references section, as an additional URL
3. Create a new GSD.refererences section if GSD exists with list of URLs
4. Create a new GSD section, with list of URLs, picking up the description from the CVE/NVD descriptions

I noticed https://nvd.nist.gov/vuln/detail/CVE-2022-43552 as missing (linked against https://github.com/vmware/photon/wiki/Security-Update-4.0-304).

Will change this into a daily automation somewhere, happy to contribute that as well or run it on my own somewhere. The code is currently at https://github.com/captn3m0/photon-advisories-gsd (MIT). This is done.

Can break this PR into slices if needed - whatever works best.

[captn3m0]

Few questions about schema:

1. There's both GSD and gsd fields used at the top-level. Which one is preferred? Are they both considered equivalent?
2. There's both gsd.database_specific.GSD.references as well as gsd.references in some cases. Which one is preferred?
3. In cases where no gsd exists (say CVE-2001-0526), how do we track lastModifiedDate for the GSD data?

[captn3m0]

There's also package level information published at https://packages.vmware.com/photon/photon_cve_metadata/, could that be incorporated here as well?

[oswalpalash]

@kurtseifried ^

[captn3m0]

Planning to publish the advisories in OSV format at https://github.com/captn3m0/photon-os-advisories, and register PHSA as a database prefix under the OSV schema.

[captn3m0]

Now that the advisories are being published in OSV format at https://github.com/captn3m0/photon-os-advisories, I'm considering reworking this PR to switch to just providing references to the PHSA IDs instead (by using the related field).

With https://github.com/ossf/osv-schema/pull/107 merged, the PHSA identifier should count as valid, and get resolved accordingly.

[joshbuker]

@captn3m0

1. gsd is preferred; we have some old data that has yet to be converted to the schema and styling definition. camelCase should be used for all key names.
2. gsd.references is preferred, using OSV format.
3. If gsd does not exist, I believe @kurtseifried has a script to auto-convert into the appropriate format.

While still a WIP, we do now have a schema definition: https://github.com/cloudsecurityalliance/gsd-tools/blob/main/gsd-schema/validation/schema.json

@kurtseifried @joshbressers Feel free to correct me if I'm off on any of these answers.

[kurtseifried]

We need to normalize the GSD data in order to support enrichment like this much more easily, closing for now.