Picky change to example justification in the spec

garethr · garethr · commit bd47c8e153e1 · 2023-02-04T16:28:56.000Z
I feel like the statement

&gt; The vulnerable code was removed with a custom patch

fits `vulnerable_code_not_present`:

&gt; The vulnerable component is included in artifact, but the vulnerable code is not present. Typically, this case occurs when source code is configured or built in a way that excluded the vulnerable code.

better than `component_not_present`:

&gt; The product is not affected by the vulnerability because the component is not included. The status justification may be used to preemptively inform product users who are seeking to understand a vulnerability that is widespread, receiving a lot of attention, or is in similar products.

The statement specifically states "vulnerable *code* was removed" via a patch. Rather than the whole component being removed.

Signed-off-by: Gareth Rushgrove &lt;gareth@morethanseven.net&gt;
diff --git a/OPENVEX-SPEC.md b/OPENVEX-SPEC.md
@@ -221,7 +221,7 @@ readable justification labels and optionally enrich the statement with an
         "pkg:apk/wolfi/product@1.23.0-r1?arch=armv7",
       ],
       "status": "not_affected",
-      "justification": "component_not_present",
+      "justification": "vulnerable_code_not_present",
       "impact_statement": "The vulnerable code was removed with a custom patch"
     }
 

Original file line number	Diff line number	Diff line change
`@@ -221,7 +221,7 @@ readable justification labels and optionally enrich the statement with an`
`221`	`221`	`"pkg:apk/wolfi/product@1.23.0-r1?arch=armv7",`
`222`	`222`	`],`
`223`	`223`	`"status": "not_affected",`
`224`		`- "justification": "component_not_present",`
	`224`	`+ "justification": "vulnerable_code_not_present",`
`225`	`225`	`"impact_statement": "The vulnerable code was removed with a custom patch"`
`226`	`226`	`}`
`227`	`227`