Consider adding an "unknown" state to CSAF and eventually VEX

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code

https://github.com/oasis-tcs/csaf

Other

148 stars 39 forks source link

Consider adding an "unknown" state to CSAF and eventually VEX #638

Open santosomar opened 1 year ago

santosomar commented 1 year ago

There is an expectation when someone selects "under_investigation" that someone is actively investigating the issue (including the vendor). That is not necessarily true. In some cases, vendors will not investigate a vulnerability (e.g., when the product is end-of-life [EoL] or end-of-support [EoS]. Since "under_investigation" is the default value, perhaps we can add a new option called "unknown" or document that "under_investigation" also could mean unknown or that the software provider / vendor will not investigate.

tschmidtb51 commented 1 year ago

I guess the unknown state is better than the under_investigation could mean it is actually not under investigation... With the current specification of CSAF, I would:

define the product in the product_tree
not add it to the product_status (as it is unknown)
add a remediation with category of none_available or no_fix_planned depending on the reasons (e.g. the latter for an EOL product...)

tschmidtb51 commented 1 year ago

If this should be included in VEX specifically, it needs to brought up and discussed in CISA's VEX meetings... For CSAF in general, the TC can decide to add such a state...

santosomar commented 1 week ago

A motion was moved by Omar to include the support of an unknown state suggested in this issue, during the CSAF TC monthly meeting on 2024-10-30. The motion was seconded by Stefan. The motion passed.