luhring
commented
1 year ago Here's the relevant excerpt from that doc (section 2.7.1.1.1):
For [status] “not_affected”, if [justification] is not provided, then a VEX statement MUST provide an [impact_statement] that further explains how or why the listed [product_id]s are “not_affected” by [vul_id].
I believe the OpenVEX spec complies with the Minimum Requirements already. The Minimum Requirements require an impact_statement only when BOTH the status is "not_affected" AND when a justification is not provided.
Here's the relevant excerpt from the OpenVEX spec:
For statements conveying a not_affected status, a VEX statement MUST include either a status justification or an impact_statement informing why the product is not affected by the vulnerability. An impact statement is a free form text containing a description of why the vulnerability cannot be exploited. This field is not intended to be machine readable so its use is highly discouraged for automated systems.
nishakm
The current Minimum Requirements for VEX document requires an "impact_statement" when justification is "not_affected" or similar. Practically, a security auditor may want to look at the reason the author applied a justification and either add their own vex statement or revert the statement.