Optional Patch

- addresses parts of oasis-tcs#563 - add value "optional_patch" - adapt prose
tschmidtb51 · Oct 24, 2024 · 0ad4ed7 · 0ad4ed7
1 parent 13237a3
commit 0ad4ed7
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 3 deletions.
diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json
@@ -1338,6 +1338,7 @@
                     "mitigation",
                     "no_fix_planned",
                     "none_available",
+                    "optional_patch",
                     "vendor_fix",
                     "workaround"
                   ]

diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md
@@ -633,6 +633,7 @@ Valid values are:
     mitigation
     no_fix_planned
     none_available
+    optional_patch
     vendor_fix
     workaround
 ```
@@ -650,20 +651,31 @@ and they MAY or MAY NOT be officially sanctioned by the document producer.
 The value `vendor_fix` indicates that the remediation contains information about an official fix that
 is issued by the original author of the affected product.
 Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability.
-This value contradicts with the categories `none_available` and `no_fix_planned` for the same product.
+This value contradicts with the categories `none_available`, `no_fix_planned` and `optional_patch` for the same product.
 Therefore, such a combination can't be used in the list of remediations.
 
+The value `optional_patch` indicates that the remediation contains information about an patch that
+is issued by the original author of the affected product.
+Its application is not necessary, but might be desired by the user, e.g. to calm a security scanner by
+updating a dependency to a fixed version even though the dependency in the affected version was used
+in the product in a way that the product itself was not affected.
+Unless otherwise noted, it is assumed that this does not change the state regarding the vulnerability.
+This value contradicts with the categories `none_available`, `no_fix_planned` and `vendor_fix` for the same product.
+Therefore, such a combination can't be used in the list of remediations.
+
+> This is sometimes also referred to as a "regulatory compliance patch".
+
 The value `none_available` indicates that there is currently no fix or other remediation available.
 The text in field `details` SHOULD contain details about why there is no fix or other remediation.
-The values `none_available` and `vendor_fix` are mutually exclusive per product.
+The values `none_available`, `optional_patch` and `vendor_fix` are mutually exclusive per product.
 
 > An issuing party might choose to use this category to announce that a fix is currently developed.
 It is recommended that this also includes a date when a customer can expect the fix to be ready and distributed.  
 
 The value `no_fix_planned` indicates that there is no fix for the vulnerability and it is not planned to provide one at any time.
 This is often the case when a product has been orphaned, declared end-of-life, or otherwise deprecated.
 The text in field `details` SHOULD contain details about why there will be no fix issued.
-The values `no_fix_planned` and `vendor_fix` are mutually exclusive per product.
+The values `no_fix_planned`, `optional_patch` and `vendor_fix` are mutually exclusive per product.
 
 ##### Vulnerabilities Property - Remediations - Date