proposal: add `partially_mitigated` status label

[alegrey91]

Problem

In some cases, CVEs may be partially or fully mitigated by the infrastructure an application is running on.

For example, when a Kubernetes Deployment is configured with a restrictive security context, such as enabling a read-only root filesystem (readOnlyRootFilesystem: true), certain vulnerabilities that rely on arbitrary file read and write access can be partially or entirely neutralized.

Currently, these CVEs are still reported alongide with their original severity, even though the effective attack surface is reduced by the hardening configuration. Being able to track or annotate these vulnerabilities as mitigated or partially mitigated would provide a more accurate risk assessment.

This would help users better prioritize remediation efforts, focusing first on high-severity CVEs that the underlying infrastructure or runtime configuration cannot neutralize.

Proposal

To achieve this, I would propose of adding a new status label (partially_mitigated) to identify these situations.

[oej]

I understand your thinking, but if I were in the receiving end, a customer, would this really matter?

It is still not fully mitigated.

[alegrey91]

Hello @oej, and thanks for your reply.
I see your point. My thought is about prioritization.
Of course, the vulnerability still exists in the application (and must be fixed sooner or later), but knowing that this is currently less relevant might be useful to take care of others that are still fully exploitable.
This is not a way to forget about the vulnerability, but more a way to be aware of a reduced attack surface.
Anyway, thanks again for your reply :)

[puerco]

OpenVEX implements the VEX definition as drafted by the original VEX group coordinated by CISA, and the labels originate from the work and community discussions there. The last thing we want is to break compatibility among the VEX implementations. We're hoping to restart the group, I'll make sure to bring this use case there.

[macedogm]

We're hoping to restart the group, I'll make sure to bring this use case there.

@puerco is it possible to join those discussions, please? We at SUSE are interest in helping the project.