From 0ad4ed7db11b18742289ab2cbaf7f894d36926c4 Mon Sep 17 00:00:00 2001 From: tschmidtb51 <65305130+tschmidtb51@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:15:49 +0200 Subject: [PATCH] Optional Patch - addresses parts of oasis-tcs/csaf#563 - add value "optional_patch" - adapt prose --- csaf_2.1/json_schema/csaf_json_schema.json | 1 + ...ema-elements-02-props-04-vulnerabilities.md | 18 +++++++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/csaf_2.1/json_schema/csaf_json_schema.json b/csaf_2.1/json_schema/csaf_json_schema.json index 6cdd283c..8ad7bcb7 100644 --- a/csaf_2.1/json_schema/csaf_json_schema.json +++ b/csaf_2.1/json_schema/csaf_json_schema.json @@ -1338,6 +1338,7 @@ "mitigation", "no_fix_planned", "none_available", + "optional_patch", "vendor_fix", "workaround" ] diff --git a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md index af56fb69..311a49c0 100644 --- a/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md +++ b/csaf_2.1/prose/edit/src/schema-elements-02-props-04-vulnerabilities.md @@ -633,6 +633,7 @@ Valid values are: mitigation no_fix_planned none_available + optional_patch vendor_fix workaround ``` @@ -650,12 +651,23 @@ and they MAY or MAY NOT be officially sanctioned by the document producer. The value `vendor_fix` indicates that the remediation contains information about an official fix that is issued by the original author of the affected product. Unless otherwise noted, it is assumed that this fix fully resolves the vulnerability. -This value contradicts with the categories `none_available` and `no_fix_planned` for the same product. +This value contradicts with the categories `none_available`, `no_fix_planned` and `optional_patch` for the same product. Therefore, such a combination can't be used in the list of remediations. +The value `optional_patch` indicates that the remediation contains information about an patch that +is issued by the original author of the affected product. +Its application is not necessary, but might be desired by the user, e.g. to calm a security scanner by +updating a dependency to a fixed version even though the dependency in the affected version was used +in the product in a way that the product itself was not affected. +Unless otherwise noted, it is assumed that this does not change the state regarding the vulnerability. +This value contradicts with the categories `none_available`, `no_fix_planned` and `vendor_fix` for the same product. +Therefore, such a combination can't be used in the list of remediations. + +> This is sometimes also referred to as a "regulatory compliance patch". + The value `none_available` indicates that there is currently no fix or other remediation available. The text in field `details` SHOULD contain details about why there is no fix or other remediation. -The values `none_available` and `vendor_fix` are mutually exclusive per product. +The values `none_available`, `optional_patch` and `vendor_fix` are mutually exclusive per product. > An issuing party might choose to use this category to announce that a fix is currently developed. It is recommended that this also includes a date when a customer can expect the fix to be ready and distributed. @@ -663,7 +675,7 @@ It is recommended that this also includes a date when a customer can expect the The value `no_fix_planned` indicates that there is no fix for the vulnerability and it is not planned to provide one at any time. This is often the case when a product has been orphaned, declared end-of-life, or otherwise deprecated. The text in field `details` SHOULD contain details about why there will be no fix issued. -The values `no_fix_planned` and `vendor_fix` are mutually exclusive per product. +The values `no_fix_planned`, `optional_patch` and `vendor_fix` are mutually exclusive per product. ##### Vulnerabilities Property - Remediations - Date