Since the following OSVDB files have a "cve:" field, do you want their filename to be rename as "CVE-" ...?
* gems/actionpack/OSVDB-100524.yml
* gems/actionpack/OSVDB-100525.yml
* gems/actionpack/OSVDB-100526.yml
* gems/actionpack/OSVDB-100527.yml
* gems/actionpack/OSVDB-100528.yml
* gems/actionpack/OSVDB-74616.yml
* gems/actionpack/OSVDB-77199.yml
* gems/activerecord/OSVDB-88661.yml
* gems/i18n/OSVDB-100528.yml
* gems/open-uri-cached/OSVDB-121701.yml
* gems/passenger/OSVDB-90738.yml
* gems/sidekiq/OSVDB-125676.yml
* gems/sidekiq-pro/OSVDB-126331.yml
* gems/spree_auth_devise/OSVDB-90865.yml
* gems/spree_auth/OSVDB-90865.yml
* gems/spree/OSVDB-69098.yml
* gems/spree/OSVDB-81505.yml
* gems/spree/OSVDB-81506.yml
* gems/spree/OSVDB-90865.yml
* gems/spree/OSVDB-91216.yml
* gems/spree/OSVDB-91217.yml
* gems/spree/OSVDB-91218.yml
* gems/spree/OSVDB-91219.yml
* gems/twitter-bootstrap-rails/OSVDB-109206.yml

Is the rule for filename naming: "Use CVE prefix if "cve:" field is known, then if "osvdb:" field in known, then if "ghsa:" field is known.
The test code does not check for the above rule.
Thanks.

Let's rename all OSVDB- files to their CVE- equivalents, since OSVDB is no more.

Let's rename all OSVDB- files to their CVE- equivalents, since OSVDB is no more.

Assuming they have a CVE.

@jasnow correct. Any OSVDB- files lacking a cve: should stay the same.

3 Duplicates:
fatal: destination exists, source=gems/spree/OSVDB-91219.yml, destination=gems/spree/CVE-2013-1656.yml
fatal: destination exists, source=gems/spree/OSVDB-91218.yml, destination=gems/spree/CVE-2013-1656.yml
fatal: destination exists, source=gems/spree/OSVDB-91216.yml, destination=gems/spree/CVE-2013-1656.yml

It looks like those three remaining OSVDB advisories all reference the same vulnerability, but just point to different locations within the spree source code. I think it's safe to merge them into one CVE-2013-1656 advisory and use the description from CVE-2013-1656.

Will merge all 4 into 1.