OSV data does not always use CVE as the top-level name for a vulnerability. Instead, many times GHSA is used. This may be misleading to people who want to search for vulnerabilities by CVE, which is more widely used than GHSA.

Take https://osv.dev/vulnerability/GHSA-jfh8-c2jp-5v3q for example. Clair will read this critical vulnerability as GHSA-jfh8-c2jp-5v3q, which many people may not know is equivalent to CVE-2021-44228. When this vulnerability came out, many ACS customers wanted to know if they were affected by CVE-2021-44228, so if they were to search for that vulnerability in Clair, they may not find it, as it is tracked as a GHSA instead.

The objective is to output all aliases for a vulnerability so people may be able to search for any name for the vulnerability.