You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the general meeting for SPDX, Mark Bauschke requested that in addition to tracking specific security vulnerabilities, we allow for tracking if a remediation has been applied for a specific vulnerability. There are 2 use cases:
A custom patch addressing the vulnerability has been applied to the version of the library to which the vulnerability has been noted
A vulnerability identified in a library has been confirmed not to apply for the package using the library (e.g. a feature which exposes the vulnerability is not used)
The text was updated successfully, but these errors were encountered:
The desire to communicate if a patch was actually applied or if the linked security issue does not apply sounds like a VEX use case. SPDX 3.0 has the capability to communicate this type of status using VEX relationships.
To communicate this in 2.3, I think you would need to use some type of package comment to explain in addition to linking to a code fix. Additionally, you could link to an ExternalReference VEX document.
In the general meeting for SPDX, Mark Bauschke requested that in addition to tracking specific security vulnerabilities, we allow for tracking if a remediation has been applied for a specific vulnerability. There are 2 use cases:
The text was updated successfully, but these errors were encountered: