Prioritize user desc vs. system, prioritize active VDO/CVSS #13
Description
update the UI/API to offer both the system description and user description for a vulnerability. What I mean by "system description" is whatever string comes out of the reconciliation models, and "user description" is the most recent user-inputted description. What should happen is when you go to a CVE page is that the description shown is the most recent user description - but since we may have discovered new sources since the last user edit, our system could have updated information. In this case, Mehdi has said we should still primarily display the user information, but maybe offer a button/dropdown to show our updated system information.
The logic around the database for these dueling descriptions is that the vulnerability.description_id column will always point to the most up to date information, whether that's a user or the system. There's a new column in description called is_user_generated (1 if true, 0 if false) so you can get the user description by select * from description where cve_id=? and is_user_generated=1 order by created_date desc limit 1 - and then if that has a different description_id than what's pointed to in the vulnerability table, then that should trump the system description
we should also have something similar for VDO/CVSS. They both have a user_id column that's null if they're system-generated and only set if the API put something in there following a user edit.