Add VEX Support for ' Action Statement' in Dependcy Track

[surendrapathak]

Current Behavior

As per "VEX" Min Spec

For status "affected", a VEX statement MUST include one [action_statement] that SHOULD describe actions to remediate or mitigate [vul_id].

The logical map for Action Statement is vulnerability->recommendation

Recommendations of how the vulnerability can be remediated or mitigated.

Within DependencyTrack, setting Analysis to "Exploitable" does not allow specifying a separate "Action Statement". A logical fallback is "Details". However, details maps to analysis->detail and not to vulnerability->recommendation.

Proposed Behavior

For state 'exploitable', introducing/re-purposing a text box for providing Action Statement that maps to vulnerability->recommendation in the specification

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[nscuro]

Thanks for raising this @surendrapathak!

Looking at the spec, the justification node is an enum, for which the predefined values only make sense when the analysis state is "not-affected": https://cyclonedx.org/docs/1.5/json/#vulnerabilities_items_analysis_justification

Did you mean to write vulnerability.recommendation instead perhaps?

[surendrapathak]

Ohh, sorry about that.. That's exactly what I meant. thanks for reading my mind :) Description updated to reflect recommendation instead of justification