Security Vulnerabilities Application improvement to make it recommended again

My first thought is that we don’t need this as we’ll never publish a CVE without having an upgrade available unless we want to suggest the uninstall action. So whenever a top-level extension has a CVE and no upgrade available, suggest removing it.

Thinking again, I’m wondering if there could be a case where a third party releases a CVE targeting an XWiki extension without our consent. So maybe there could be an extra safeguard that if the CVE targets the XWiki namespace we ensure that it has been published by us, e.g., by verifying that it’s identifier corresponds to the GitHub repository that hosts the extension? For extensions that are not using an xwiki.org or xwiki.com namespace, I fear we’re out of luck and need to trust the CVE data. We should have the possibility to “block” the CVE through our CVE analysis feature, though. This would only affect top-level extensions that don’t originate from XWiki which should be rare. In case this should change in the future, we could always add verification steps for other organizations, too.