Use shorter VULCOID

[pombredanne]

VULCOID-83718eba-2c1b-4bdf-8704-7581b1f02dbc is too long.
IMHO we should instead adopt something shorter.
For instance, GitHub uses GHSA-jfh8-c2jp-5v3q eg. likely four characters on a base64-like encoding.
We could adopt a similar scheme. Or we could adopt something that more memorable.

[Hritik14]

How about VULCOID-YEAR-ABCD where ABCD is any alphanumeric (case insensitive). It comes out to 36^4 = 1679616 per year which is huge and I wonder if we'll ever have that many vulnerabilities per year. Even if we do, we'll add one more character.

[TG1999]

VULCOID are now looking something like this VULCOID-4PH. They are not so random and they are also memorable, here I am converting any id from base 10 to base 36, we can also decode them easily by going from base 36 to base 10, so what's your thought on this

[Hritik14]

@TG1999 That gives us 46656 vulnerabilities for life. We could add another character but then it will be ever-growing. I still feel we should go the route of year prefix as people at CVE did. Also, as the year will come from the data source, it might help a little while we're gathering vulcoids from multiple vulnerablecode installations.

[TG1999]

@TG1999 That gives us 46656 vulnerabilities for life.

I doubt that, 36^4 = 1679616 and if we go on adding 5th character that's 60 Million vulnerabilities

[pombredanne]

Do we want a namespace that would identify a VulnerableCode installation from all other installations?
The idea would be to ensure that different installation generate different vulnerability ids.
Or we would say that VULCOID is the namespace and is only usable with VulnerableCode own installation?

[pombredanne]

Here is a suggestion for a vote:
We will compute and store a VULCOID-XXXX where XXXX is variable length and is the uppercase base36-encoding of the id/pk of the Vulnerability model. XXXX is case-insensitive.
We can change this in the future

[Hritik14]

Further suggestions

VULCOID-YEAR-ABCD

• Year is hard to infer for all vulnerabilities.

VULCOID-ABC

• Variable length base 36 ABC

VULCOID-[NAMESPACE-]ABC

• Same as VULCOID-ABC but with a reserved space for NAMESPACE that could be an identifier AboutCode supplies via Scancode Toolkit or any other means. (Unique values such as github usernames could also be leveraged)

[pombredanne]

With 4 votes, here is the pick for now.

Here is a suggestion for a vote:
We will compute and store a VULCOID-XXXX where XXXX is variable length and is the uppercase base36-encoding of the id/pk of the Vulnerability model. XXXX is case-insensitive.