User Story: To what extent do downstream Product inherit upstream Vulnerabilities?

[zmanion]

In the form of: "As a role performing task, I struggle with problem because reason."

As a CVE Consumer performing vulnerability managment, I struggle to understand the extent to which Products I use and depend on are affected by vulnerabilities in upstream dependencies, because that information is hard to obtain consistently and at scale.

For example, is Windows 11 affected by a curl CVE? I want to know this so I have a better, more complete list of vulnerabilities to manage, and the information I need to manage them well. I can sometimes obtain this information manually, e.g., by reading prose advisories and matching Product names. It'd be nice to obtain this information in an automated way, in or via CVE.

This user story is being explored (hopefully soon) by the Supplier ADP (SADP) Pilot, I'm adding a user story here to highlight the Consumer side of the SADP Pilot.