| Andrew Geissler | 8f84068 | 2023-07-21 09:09:43 -0500 | [diff] [blame] | 1 | # Possible options for CVE statuses |
| 2 | |
| 3 | # used by this class internally when fix is detected (NVD DB version check or CVE patch file) |
| 4 | CVE_CHECK_STATUSMAP[patched] = "Patched" |
| 5 | # use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch) |
| 6 | CVE_CHECK_STATUSMAP[backported-patch] = "Patched" |
| 7 | # use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports |
| 8 | CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched" |
| 9 | # use when NVD DB does not mention correct version or does not mention any verion at all |
| 10 | CVE_CHECK_STATUSMAP[fixed-version] = "Patched" |
| 11 | |
| 12 | # used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored |
| 13 | CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" |
| 14 | # use when CVE is confirmed by upstream but fix is still not available |
| 15 | CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" |
| 16 | |
| 17 | # used for migration from old concept, do not use for new vulnerabilities |
| 18 | CVE_CHECK_STATUSMAP[ignored] = "Ignored" |
| 19 | # use when NVD DB wrongly indicates vulnerability which is actually for a different component |
| 20 | CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" |
| 21 | # use when upstream does not accept the report as a vulnerability (e.g. works as designed) |
| 22 | CVE_CHECK_STATUSMAP[disputed] = "Ignored" |
| 23 | # use when vulnerability depends on build or runtime configuration which is not used |
| 24 | CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" |
| 25 | # use when vulnerability affects other platform (e.g. Windows or Debian) |
| 26 | CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" |
| 27 | # use when upstream acknowledged the vulnerability but does not plan to fix it |
| 28 | CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" |