I would love to see something like this, but sadly there isn't a
nice
automated way to match a CVE id to a given package. I'd gladly hear ideas
on how to do this.
NVD try to do this when they create their entries based on CVE (usually
they manage this before the CVE site gets updated, but after the CVENEW
mails come out). They map each vuln to a product dictionary which we
could map to package name, but it'll miss those cases where a
vulnerability gets reported for something that affects multiple products
(like some flaw being labelled as an Apple flaw when in fact it's in
xpdf), or where things affect multiple products (a xpdf issue affects many
open source projects).
example from
http://nvd.nist.gov/download/nvdcve-recent.xml
<vuln_soft>
<prod name="slocate" vendor="slocate">
<vers num="3.1"/>
</prod>
</vuln_soft>
Mark