Open surendrapathak opened 8 months ago
Thanks for raising this @surendrapathak!
Looking at the spec, the justification
node is an enum, for which the predefined values only make sense when the analysis state is "not-affected": https://cyclonedx.org/docs/1.5/json/#vulnerabilities_items_analysis_justification
Did you mean to write vulnerability.recommendation
instead perhaps?
Ohh, sorry about that.. That's exactly what I meant. thanks for reading my mind :)
Description updated to reflect recommendation
instead of justification
Current Behavior
As per "VEX" Min Spec
The logical map for Action Statement is vulnerability->recommendation
Within DependencyTrack, setting Analysis to "Exploitable" does not allow specifying a separate "Action Statement". A logical fallback is "Details". However, details maps to analysis->detail and not to vulnerability->recommendation.
Proposed Behavior
For state 'exploitable', introducing/re-purposing a text box for providing
Action Statement
that maps to vulnerability->recommendation in the specificationChecklist