My vote:
- separate command instead of colluded with yank
- warn by default with optional hard failure
- store a DWF ID for each vuln. Obtaining one automatically if one isn’t passed in explicitly is gravy.
- I would postpone any sort of severity scoring in the initial implementation. The existing methods (e.g. CVSS) are somewhat lousy and I’m worried trying to do anything else will turn into a giant bikeshedding debate. If people really have their hearts set on CVSS(v3), I wouldn’t be opposed though.