Closed nishakm closed 1 year ago
Here's the relevant excerpt from that doc (section 2.7.1.1.1):
For [status] “not_affected”, if [justification] is not provided, then a VEX statement MUST provide an [impact_statement] that further explains how or why the listed [product_id]s are “not_affected” by [vul_id].
I believe the OpenVEX spec complies with the Minimum Requirements already. The Minimum Requirements require an impact_statement only when BOTH the status is "not_affected" AND when a justification is not provided.
Here's the relevant excerpt from the OpenVEX spec:
For statements conveying a not_affected status, a VEX statement MUST include either a status justification or an impact_statement informing why the product is not affected by the vulnerability. An impact statement is a free form text containing a description of why the vulnerability cannot be exploited. This field is not intended to be machine readable so its use is highly discouraged for automated systems.
@luhring Thanks! I realize the problem is not with the spec itself but vexctl
. I'll close this issue and refile it under that project.
The current Minimum Requirements for VEX document requires an "impact_statement" when justification is "not_affected" or similar. Practically, a security auditor may want to look at the reason the author applied a justification and either add their own vex statement or revert the statement.