Add remediation information to security data in SPDX

[goneall]

In the general meeting for SPDX, Mark Bauschke requested that in addition to tracking specific security vulnerabilities, we allow for tracking if a remediation has been applied for a specific vulnerability. There are 2 use cases:

• A custom patch addressing the vulnerability has been applied to the version of the library to which the vulnerability has been noted
• A vulnerability identified in a library has been confirmed not to apply for the package using the library (e.g. a feature which exposes the vulnerability is not used)

[kestewart]

Based on weekly call, moving this to 3.0 to align better with base + security profile discussions.

[kestewart]

This has been fixed in 2.3 in Appendix K - see: https://spdx.github.io/spdx-spec/v2.3-RC1/how-to-use/#k17-linking-to-a-code-fix-for-a-security-issue

[geckogreen]

This has been fixed in 2.3 in Appendix K - see: https://spdx.github.io/spdx-spec/v2.3-RC1/how-to-use/#k17-linking-to-a-code-fix-for-a-security-issue

I read the appendix "K.1.7 Linking to a code fix for a security issue" but do not understand how this solved the initial request to either

• state that the linked patch was actually applied in the delivery, or
• that the linked security issue does not apply to the delievery (e. g. by delecting a feature)

Can you please clarify how this can be achieved with the reference in Appendix K?

[rnjudge]

The desire to communicate if a patch was actually applied or if the linked security issue does not apply sounds like a VEX use case. SPDX 3.0 has the capability to communicate this type of status using VEX relationships.

To communicate this in 2.3, I think you would need to use some type of package comment to explain in addition to linking to a code fix. Additionally, you could link to an ExternalReference VEX document.