Since the cve data is from Trivy/Grype, that should be osv.dev