New value: "patch_for_not_affected" or similar in "remediation"

[santosomar]

The TC voted on June 29th, 2022 to add a new field to CSAF 2.1, as requested per Feng Cao in the following email: https://www.oasis-open.org/apps/org/workgroup/csaf/email/archives/202206/msg00006.html

Dear TC members,

I'd like to discuss about adding a new value for "category" in
"remediation".

Problem:

The third party CVEs will be announced in advisories. Some of them are
re-scored with CVSSv3.1 = 0.0. "known_not_affected" is used in
"product_status". In "remediation", "category" doesn't have a matching
value for "known_not_affected"

(the question on why to announce them with CVSSv3.1=0.0 is to provide
the info to the customers, as their scanners might catch the third party
components, and then they will ask the support).

Solution:

Add a new value, such as "patch_for_not_affected".

Thanks,

Feng Cao, PHD, CISSP, PMP
Oracle Security Alerts

[santosomar]

FYI only: A similar suggestion for "remediation" fields was proposed at https://github.com/oasis-tcs/csaf/issues/662

[santosomar]

Other suggestions from the TC about the naming for the field:

• optional_patch
• RegulatoryCompliancePatch
• unnecessary_patch

[tschmidtb51]

This is related to #665

[tschmidtb51]

@santosomar Was there a motion regarding the addition? If so, please link it here and state the result.

[santosomar]

Yes, indeed.

https://github.com/oasis-tcs/csaf/blob/master/meeting_minutes/2022/2022-06-29.md

Quote:

Feng Cao suggested the consideration of adding a new value under remediations for "patch_for_not_affected". The suggestion was sent via email.

• Omar set motion to include Feng’s recommendations for 2.1 as an addition to CSAF in current version.

• Denny second the motion.

• Motion of adding new remediation has passed. This is documented in issue #563.

[tschmidtb51]

@santosomar: Thank you - I read over the first sentence.

[tschmidtb51]

@fjscao: Please have a look at the suggestion in #804