Hello all, I started to use https://security-tracker.debian.org/tracker/ and endpoint for JSON especially. Recently I bumped into weird issue. I noticed that all new binary packages for linux-image-amd64 <https://packages.debian.org/buster-backports/linux-image-amd64> are either from linux-signed-amd64 or linux-latest source packages based on the OS release. The issue is that security tracker doesn't display any security vulnerability for those two, see linux-signed-amd64 <https://security-tracker.debian.org/tracker/source-package/linux-signed-amd64>, linux-latest <https://security-tracker.debian.org/tracker/source-package/linux-latest>. It seems like all security issues are tracked for source package linux <https://security-tracker.debian.org/tracker/source-package/linux> only.
My script uses: 1) JSON endpoint to detect new CVE vulnerabilities/updates. 2) If it detects new update it resolves source package to binary one. However CVEs/updates are tracked only for linux source package. Linux source package isn't referenced to new binary packages for linux kernel. For that reason I cannot link these ... Please let me know if it is intentional that security issues aren't tracked for linux-signed-amd64 or linux-latest source packages. If so is there possibility how I can interconnect linux source package with these two or with binary package? for example with this one <https://packages.debian.org/buster/linux-image-amd64>. Thanks a lot for keeping CVE data up to date ! BR
