Closed terriko closed 1 month ago
If anyone want to tackle this issue, you can ping me too if you need any help or if you got stuck somewhere.
Tagging @mastersans to look at this more -- we may need to switch to triage.json and fix some of the entries.
In #3969, @mastersans has added a TRIAGE.vex file. Right now it marks our false positives but doesn't give a whole lot of detail as to why these things are false positives. In most cases right now, it's detecting a library with the sane name that's clearly written in another language and is not the same package, but that's not inherently obvious on a per-CVE basis.
I'd like to add some human readable explanation to the file. I forget off the top of my head if it's comments or remarks and what part of the data structure it should go in, but there should be a way to do this.