You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: OPENVEX-SPEC.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -33,13 +33,13 @@ Another key part of VEX is time. It matters _when_ statements are made. VEX is
33
33
designed to be a sequence of statements, each overriding, but also enriching
34
34
the previous ones with new information. Each statement has a timestamp
35
35
associated with it, either exlicitly in the markup or derived from containint
36
-
structures (see [Inheritance Flow](#InheritanceFlow)).
36
+
structures (see [Inheritance Flow](#Inheritance-Flow)).
37
37
38
38
## VEX Documents
39
39
40
40
A VEX document is a data structure grouping one or more VEX statements.
41
41
Documents also have timestamps, which may cascade down to statements (see
42
-
[Inheritance Flow](#InheritanceFlow)). Documents can also be versioned.
42
+
[Inheritance Flow](#Inheritance-Flow)). Documents can also be versioned.
43
43
44
44
### A Sample Scenario
45
45
@@ -197,7 +197,7 @@ The following table lists the fields of the OpenVEX statement struct.
197
197
| subcomponents | ✕ | Identifiers of components where the vulnerability originates. While the statement asserts about the impact on the software product, listing `subcomponents` let scanners find identifiers to match their findings. |
198
198
| status | ✓ | A VEX statement MUST provide the status of the vulnerabilities with respect to the products and components listed in the statement. `status` MUST be one of the labels defined by VEX (see [Status](#Status)), some of which have further options and requirements. |
199
199
| status_notes | ✕ | A statement MAY convey information about how `status` was determined and MAY reference other VEX information. |
200
-
| justification | ✓/✕ | For statements conveying a `not_affected` status, a VEX statement MUST include either a status justification or an impact_statement informing why the product is not affected by the vulnerability. Justifications are fixed labels defined by VEX. See [Status Justifications](#StatusJustifications) below for valid values. |
200
+
| justification | ✓/✕ | For statements conveying a `not_affected` status, a VEX statement MUST include either a status justification or an impact_statement informing why the product is not affected by the vulnerability. Justifications are fixed labels defined by VEX. See [Status Justifications](#Status-Justifications) below for valid values. |
201
201
| impact_statement | ✓/✕ | For statements conveying a `not_affected` status, a VEX statement MUST include either a status justification or an impact_statement informing why the product is not affected by the vulnerability. An impact statement is a free form text containing a description of why the vulnerability cannot be exploited. This field is not intended to be machine readable so its use is highly discouraged for automated systems. |
202
202
| action_statement | ✕ | For a statement with "affected" status, a VEX statement MUST include a statement that SHOULD describe actions to remediate or mitigate the vulnerability. |
203
203
| action_statement_timestamp | ✕ | The timestamp when the action statement was issued. |
0 commit comments