Update instructions for a self-demo (#2219)

Reference in list of home-grown data sources.

docs/data.md

@@ -52,16 +52,19 @@ The following ecosystems have vulnerabilities encoded in this format:
     ([CC-BY 4.0](https://github.com/psf/advisory-database/blob/main/LICENSE))
 
 ## Converted data
+
 Additionally, the OSV.dev team maintains a conversion pipeline for:
 
 -   [Debian Security Advisories](https://storage.googleapis.com/debian-osv/index.html),
     using the conversion tools
     [here](https://github.com/google/osv.dev/tree/master/vulnfeeds/tools/debian).
 -   [Alpine SecDB](https://storage.googleapis.com/cve-osv-conversion/index.html?prefix=osv-output/),
     using the conversion tools
-    [here](https://github.com/google/osv.dev/tree/master/vulnfeeds/cmd/alpine).
+    [here](https://github.com/google/osv.dev/tree/master/vulnfeeds/cmd/alpine),
+-   [NVD CVEs for open source software](https://storage.googleapis.com/cve-osv-conversion/index.html?prefix=osv-output/) using the conversion tools [here](https://github.com/google/osv.dev/tree/master/vulnfeeds/cmd/nvd-cve-osv)
 
 ## Covered Ecosystems
+
 Between the data served in OSV and the data converted to OSV the following ecosystems are covered.
 
 -   AlmaLinux
@@ -115,4 +118,4 @@ A list of all current ecosystems is available at
 ## Contributing Data
 If you a work with a project such as a Linux distribution and would like to contribute your security advisories, please follow the steps outlined in [CONTRIBUTING.md](https://github.com/google/osv.dev/blob/master/CONTRIBUTING.md#contributing-data)
 
-Data can be supplied either through a public Git repository, a public GCS bucket or to [REST API endpoints](contributing/rest-api-contribution.md).
+Data can be supplied either through a public Git repository, a public GCS bucket or to [REST API endpoints](contributing/rest-api-contribution.md).

vulnfeeds/cmd/nvd-cve-osv/README.md

@@ -1,10 +1,27 @@
-# Proof-of-concept code to leverage vulnfeeds for reasoning about C/C++ sources
+# Converting NVD CVEs for open source software to OSV
 
-This can be invoked as:
+Further context at [Introducing broad C/C++ vulnerability management support](https://osv.dev/blog/posts/introducing-broad-c-c++-support/)
+
+See [run_cve_to_osv_generation.sh](https://github.com/google/osv.dev/blob/master/vulnfeeds/cmd/nvd-cve-osv/run_cve_to_osv_generation.sh) for how this is invoked in Production.
+
+To see it in action on a single CVE:
 
-```shell
-go run cmd/nvd-cve-osv/main.go \
-  --nvd_json cve_jsons/nvdcve-1.1-2022.json \
 ```
+CVE=CVE-2024-3094
+
+git clone --recurse-submodules https://github.com/google/osv.dev
+
+cd osv.dev/vulnfeeds
+
+mkdir /tmp/nvd /tmp/nvd2osv
+
+(cd test_data && ./download_specific_cves $CVE)
+mv test_data/nvdcve-2.0/${CVE}.json /tmp/nvd
+gcloud storage cp "gs://osv-test-cve-osv-conversion/cpe_repos/cpe_product_to_repo.json" "/tmp"
+
+go run cmd/nvd-cve-osv/main.go \
+    --cpe_repos "/tmp/cpe_product_to_repo.json" \
+    --nvd_json "/tmp/nvd/${CVE}.json" \
+    --out_dir "/tmp/nvd2osv"
 
-Use `cmd/download-cves/main.go` for downloading the NVD JSON files
+cat /tmp/nvd2osv/*/*/${CVE}.json