Hi, I am processing some of the security oval feeds from https://www.debian.org/security/oval/ and I noticed that the stretch oval feed (https://www.debian.org/security/oval/oval-definitions-stretch.xml) does not include CVE definitions (class="vulnerability"). Instead, stretch only has security advisories (DSAs with definition (class="patch").
Do you know if this is intentional or some kind of missing information? The oval feeds seem to be updated daily or multiple times a day according to the "last modified" date on those pages. Thanks for your help! Orest
