Can a repo-level advisory be created with an existing GHSA ID?

[EliahKagan]

Advisories are sometimes imported into the GitHub Advisory Database from other advisory databases, such as RUSTSEC. When the software to which they pertain is hosted on GitHub, its repository maintainer may or may not also have issued a local advisory to be shown in the repository's Security tab. But for projects that choose to publish repository-level advisories, it can be useful to have a local advisory in the Security tab for each known reported vulnerability, including vulnerabilities that were not originally reported in that way.

Is there any way for a maintainer to create a repository-local advisory corresponding to an existing global advisory and sharing its GHSA ID, or to request that this be done? In some cases having a different GHSA ID for the repo-level advisory might be okay, but it has a few disadvantages:

• It could accidentally lead to a separate GitHub Advisory Database entry being created for the same vulnerability based on the repo-level advisory.
• It would tend to mislead or confuse users into thinking that it and the global advisory pertain to two separate vulnerabilities, since their GHSA IDs differ.
• Sometimes two separate vulnerabilities exist that are very closely related or even overlapping, yet considered distinct. In this situation, introducing a third GHSA ID that is equivalent to one of them would be especially confusing and would make it difficult for anyone not already familiar with the situation to know how many vulnerabilities the advisories cover and what the relationship between them is.
• Having a separate GHSA ID and being formally unconnected to the entry in the GitHub Advisory Database would make it so that metadata changes to the repo-level advisory would have no relationship to the global metadata. So crediting a reporter in the repo-level advisory would not facilitate crediting that person in the global advisory.

This is motivated by the specific case of RUSTSEC-2023-0064/GHSA-rrjw-j4m2-mf34. (This should not be confused with the related but distinct vulnerability RUSTSEC-2024-0335/CVE-2024-32884/GHSA-98p4-xjmm-8mfh which does, as is ideal, have both global and repo-level advisories with the same GHSA ID as each other.) The idea that it would be useful to have a repo-level advisory with the same GHSA ID as GHSA-rrjw-j4m2-mf34 is discussed in GitoxideLabs/gitoxide#1457.

Although this is related to #4317, I believe my concern expressed there about obscuring the reporter was mostly misguided, and I am glad that PR was ultimately merged. The advisory text there does make clear who the reporter was, and readers are unlikely to misread my analyst credit. However, if I understand correctly, the credit situation could be further improved if there were a linked repo-local GHSA advisory, since then @vin01 could be credited there as reporter in its metadata, and that could be synced to the global advisory.

I understand if this is not feasible, but I figured I'd check since it seems like it could be helpful and the maintainer @Byron is amenable to it.