provide vex status justification for "unaffected" (aka NOT AFFECTED) into CVE JSON schema #478
Description
As SADP pilot is ongoing, unaffected products will be put into adp so that the users can be informed of these products. Many users want to know why these products are unaffected, and seek vex status justification.
VEX status justification document: https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf
The current CVE JSON schema doesn't provide VEX status justification for unaffected.
The proposal is to provide vex status justification for unaffected in CVE JSON Schema at early as possible.
The current "status":
"status": {
"description": "The vulnerability status of a given version or range of versions of a product. The statuses 'affected' and 'unaffected' indicate that the version is affected or unaffected by the vulnerability. The status 'unknown' indicates that it is unknown or unspecified whether the given version is affected. There can be many reasons for an 'unknown' status, including that an investigation has not been undertaken or that a vendor has not disclosed the status.",
"type": "string",
"enum": ["affected", "unaffected", "unknown"]
},
Should be replaced by:
“oneOf”: [
{
“title”: “affected product. This is the same as AFFECTED in VEX”,
“properties”: {
“status”: {
“type”: “string”,
“enum”: [“affected”]
}
}
},
{
“title”: “unknown product. This may be referred as UNDER INVESTITATION in VEX ”,
“properties”: {
“status”: {
“type”: “string”,
“enum”: [“unknown”]
}
}
},
{
“type”: “unaffected product. This is the same as NOT AFFECTED in VEX”,
“properties”: {
“status”: {
“type”: “string”,
“enum”: [“unaffected”]
},
“vex_justifcation”: {
“type”: “string”,
“enum”:[
"component_not_present",
“inline_mitigations_already_exist",
"vulnerable_code_cannot_be_controlled_by_adversary",
"vulnerable_code_not_in_execute_path",
"vulnerable_code_not_present"
]
},
Required: [“status”]
}
}
]
Note:
- "affected" and "unknown" can be combined. They are separated out in case that vex status justification may be added in the future
- "fixed' can be added to be consistent with VEX.