Thanks a lot for the feedback and ideas. Many of your points align with issues we are currently facing in different parts of the format. We are still quite far from having something fully functional ;-).
I will reply with a separate message for each point to make follow-up easier.
UUID
Initially, I tried using UUIDv5 generation with a fixed PSK/NS to ensure consistency. The problem I ran into was data mirroring between vendors and products. In that case, I cannot use the same UUIDv5 for both, as this would create collisions and break uniqueness.
One possible approach would have been to use two PSKs/NS: one for vendors and one for products, in order to keep them separate. However, that introduces another issue, as you start to lose some visibility into the namespace within the UUID itself.
Because of that, I moved back to UUIDv4 generation. However, this also introduces the difficulty of non-deterministic UUID generation and the need to trust the initial import. The initial prototype use the example below and I detached from the original JSON format of NVD.
Another idea would have been to use a fixed UUIDv5, with the string representation including a prefix such as nist-cpe:<UUID> or gcve-cpe:<UUID>. This could allow the use of custom PSKs or namespaces, which could in fact be derived directly from the namespace itself and calculated easily. It would also mean that, when dealing with a standalone UUID, its origin would be immediately identifiable by default. My only fear is that we don’t the unicity clear and we have many synonyms between namespace without solving the original issue.
So still wondering what’s best UUID strategy for the entries.
Example of a proposed format
Vendor Element
{
"created_at": "2026-04-06T15:15:32.668186",
"name": "misp",
"notes": null,
"title": "Misp",
"updated_at": "2026-04-06T15:15:32.668187",
"uuid": "62653321-c513-556c-a889-ef681b72044b"
},
{
"created_at": "2026-04-06T19:26:27.980637",
"name": "1000projects",
"notes": "Test vendor",
"title": "1000Projects",
"updated_at": "2026-04-07T06:49:57.740094",
"uuid": "080f2149-7a52-507c-aae7-66120f8ff911"
},
Relationships
{
"approved_at": "2026-04-07T10:00:58.144175",
"created_at": "2026-04-07T10:00:58.150844",
"rationale": "",
"relationship_type": "superseded-by",
"source_product_uuid": null,
"source_vendor_uuid": "080f2149-7a52-507c-aae7-66120f8ff911",
"submitted_at": "2026-04-07T10:00:37.953639",
"submitter_email": "",
"submitter_name": "",
"target_product_uuid": null,
"target_vendor_uuid": "62653321-c513-556c-a889-ef681b72044b",
"updated_at": "2026-04-07T10:00:58.150846"
}