Specifying CPE in nuspec

[lg2de]

Sometimes, we package components into new nuget packages, e.g. lightweight database runtime to be extracted while running the hosting application.
The database runtime is an external component which may get security vulnerabilities. Further it has a CPE which helps to identify which version is affected with vulnerabilities.

When packaging I would like to add some (well defined) meta data to the nuget package (nuspec file) with one or more CPEs related to this package.
Is there already an idea to

1. add custom meta data to nuspec file
2. convert data from PropertyGroup in csproj files into custom nuspec meta data
3. well defined meta data for one or more CPEs
4. well defined meta data for other component/product/version identifiers
   ?

Please note, that the vulnerability database in nuget.org will not solve this use case because this kind of package will never be published to public nuget.org.