doc: update examples to explain ghc-component and aliases

EXAMPLE_ADVISORY.md

@@ -23,8 +23,19 @@ related = ["CVE-2022-YYYY", "CVE-2022-ZZZZ"]
 
 # You can declare multiple affected packages
 [[affected]]
+
+# Declare the affected package/component via ONE of the
+# following options
+#
+# OPTION 1: package = hackage-package-name
 package = "package-name"
+#
+# OPTION 2: ghc-component = {ghc,ghci,rts,ghc-pkg,runghc,ghc-iserv,hp2ps,hpc,hsc2hs,haddock}
+# ghc-component = "ghci"
+
+# CVSS vector.  Accepted versions: 2.0, 3.0, 3.1
 cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+
 # arch = ["x86", "x86_64"]
 # os = ["mingw32"]
 # declarations = { "Acme.Broken.function" = ">= 1.1.0 && < 1.2.0", "Acme.Broken.renamedFunction" = ">= 1.2.0 && < 1.2.0.5"}

README.md

@@ -49,8 +49,13 @@ capec = [123]
 # particular class of vulnerabilities?"
 keywords = ["ssl", "mitm"]
 
-# Vulnerability aliases, e.g. CVE IDs (optional but recommended)
-# Request a CVE for your HSec vulns: https://iwantacve.org/
+# Vulnerability aliases, e.g. CVE or GHSA IDs.  This field is
+# optional, but it is strongly recommended to reference any known
+# aliases.
+#
+# A corresponding CVE is not required, but you can request one if
+# you want: https://iwantacve.org/
+#
 #aliases = ["CVE-2018-XXXX"]
 
 # Related vulnerabilities (optional)
@@ -72,8 +77,13 @@ url = "https://github.com/username/package/pull/139"
 # and the `versions` table.
 [[affected]]
 
-# Mandatory: name of the affected package on Hackage
+# Mandatory package component identifier; ONE of the following:
+#
+# OPTION 1: name of the affected package on Hackage
 package = "acme-broken"
+#
+# OPTION 2: component of GHC compiler suite
+# ghc-component = {ghc,ghci,rts,ghc-pkg,runghc,ghc-iserv,hp2ps,hpc,hsc2hs,haddock}
 
 # Mandatory: a Common Vulnerability Scoring System score. More information
 # can be found on the CVSS website, https://www.first.org/cvss/.