Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify remediation categories #540

Merged
merged 4 commits into from
May 18, 2022
Merged

Clarify remediation categories #540

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
51ab065
Clarify remediation categories
tschmidtb51 May 14, 2022
67c9210
Clarify remediation categories
tschmidtb51 May 14, 2022
93d381e
Nit: Two things are mutually exclusive
sthagen May 14, 2022
6e02be5
Clarify remediation categories
tschmidtb51 May 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
9 changes: 7 additions & 2 deletions csaf_2.0/prose/csaf-v2-editor-draft.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2744,10 +2744,15 @@ The value `workaround` indicates that the remediation contains information about
The value `mitigation` indicates that the remediation contains information about a configuration or deployment scenario that helps to reduce the risk of the vulnerability but that does not resolve the vulnerability on the affected product. Mitigations MAY include using devices or access controls external to the affected product. Mitigations MAY or MAY NOT be issued by the original author of the affected product, and they MAY or MAY NOT be officially sanctioned by the document producer.

The value `vendor_fix` indicates that the remediation contains information about an official fix that is issued by the original author of the affected product. Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability.
This value contradicts with the categories `none_available` and `no_fix_planned` for the same product. Therefore, such a combination can't be used in the list of remediations.

The value `none_available` indicates that there is currently no fix available. The description SHOULD contain details about why there is no fix.
The value `none_available` indicates that there is currently no fix or other remediation available. The text in field `details` SHOULD contain details about why there is no fix or other remediation.
The values `none_available` and `vendor_fix` are mutually exclusive per product.

The value `no_fix_planned` indicates that there is no fix for the vulnerability and it is not planned to provide one at any time. This is often the case when a product has been orphaned, declared end-of-life, or otherwise deprecated. The description SHOULD contain details about why there will be no fix issued.
> An issuing party might choose to use this category to announce that a fix is currently developed. It is recommended that this also includes a date when a customer can expect the fix to be ready and distributed.

The value `no_fix_planned` indicates that there is no fix for the vulnerability and it is not planned to provide one at any time. This is often the case when a product has been orphaned, declared end-of-life, or otherwise deprecated. The text in field `details` SHOULD contain details about why there will be no fix issued.
The values `no_fix_planned` and `vendor_fix` are mutually exclusive per product.

##### 3.2.3.12.2 Vulnerabilities Property - Remediations - Date

Expand Down