Lets consider a CVE c that impacts a product with version x. This CVE is fixed in product version y.
According to OpenVEX Specs, field 'Action_Statement' under 'Statement' can contain data for fixes/mitigations.
When constructing VEX report for x, would it be right to show c with status 'Affected' and put both x & y under 'Action_Statement' ?
P.S. I'm not sure of the correct forum to ask this, but found this repo active.
Please redirect me if this is not the right place.
Lets consider a CVE c that impacts a product with version x. This CVE is fixed in product version y. According to OpenVEX Specs, field 'Action_Statement' under 'Statement' can contain data for fixes/mitigations. When constructing VEX report for x, would it be right to show c with status 'Affected' and put both x & y under 'Action_Statement' ?
P.S. I'm not sure of the correct forum to ask this, but found this repo active. Please redirect me if this is not the right place.