The clean solution these days seems to be about querying the tracker via
the JSON entrypoint. It exposes that info, and avoids relying directly
on {CVE,DSA}/list. Modifying the DSA format itself is a bit involved,
and could have potentially far reaching consequences.
After researching information about the JSON data, it turns out there's
only one entrypoint, exposing the entire tracker data as a single JSON
file. Not entirely ideal for our purpose (the download is 22M and does
take some time to download), but IMO it's definitely the proper way to
go about extracting the version associated to a CVE, rather than parsing
the clunkier {DSA,CVE}/list files.
The URL is https://security-tracker.debian.org/tracker/data/json (listed
from https://security-tracker.debian.org/tracker), and using any script
language against this JSON data it's quite trivial to get the version
fixing a given CVE, which should be the only thing missing for the
current DSA.
Cheers,
--Seb
