From 72fa5db12270778b260b2c6de45e2dba8908fd0b Mon Sep 17 00:00:00 2001 From: Sebastian Schuberth Date: Tue, 23 Sep 2025 18:23:17 +0200 Subject: [PATCH 1/4] feat(model): Add `FIXED_VULNERABILITY` as a resolution reason There are cases where a vulnerability is returned for a given package coordinate, but that package is actually modified compared to the upstream version and contains a fix. This can now be resolved explicitly by using `FIXED_VULNERABILITY`. The requirment for this reason stems from CRA / DORA implications. Signed-off-by: Sebastian Schuberth --- .../src/main/kotlin/config/VulnerabilityResolutionReason.kt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt b/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt index 268c12d6daac8..77b4b4c928572 100644 --- a/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt +++ b/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt @@ -31,6 +31,11 @@ enum class VulnerabilityResolutionReason { */ CANT_FIX_VULNERABILITY, + /** + * The required fix (e.g. patch, update) has been successfully applied and verified, eliminating the vulnerability. + */ + FIXED_VULNERABILITY, + /** * The code in which the vulnerability was found is neither invoked in the project's code nor indirectly * via another open source component. From c5bea43a813e4792177e578727c24dc86747e63c Mon Sep 17 00:00:00 2001 From: Sebastian Schuberth Date: Tue, 23 Sep 2025 18:27:11 +0200 Subject: [PATCH 2/4] feat(model): Add `RISK_ACCEPTED_VULNERABILITY` as a resolution reason This is a more explicit alternative to `WILL_NOT_FIX_VULNERABILITY` (or also `CANT_FIX_VULNERABILITY`) to document that the reason why a vulnerability was not fixed is that the business risk was accepted. The requirment for this reason stems from CRA / DORA implications. Signed-off-by: Sebastian Schuberth --- .../src/main/kotlin/config/VulnerabilityResolutionReason.kt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt b/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt index 77b4b4c928572..b195fafaaf08d 100644 --- a/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt +++ b/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt @@ -60,6 +60,11 @@ enum class VulnerabilityResolutionReason { */ NOT_A_VULNERABILITY, + /** + * The vulnerability is acknowledged, but a conscious, documented decision is made to not apply a fix or mitigation. + */ + RISK_ACCEPTED_VULNERABILITY, + /** * This vulnerability will never be fixed, e.g., because the package which is affected is orphaned, * declared end-of-life, or otherwise deprecated. From f9f933832c70c77ddd761e33c57d24653c3e5bd2 Mon Sep 17 00:00:00 2001 From: Sebastian Schuberth Date: Tue, 23 Sep 2025 18:36:20 +0200 Subject: [PATCH 3/4] chore(model): Deprecate `INEFFECTIVE_VULNERABILITY` Suggest `NOT_EXPLOITABLE_VULNERABILITY` instead as the term "exploitable" is more common in this context than "ineffective". Signed-off-by: Sebastian Schuberth --- .../main/kotlin/config/VulnerabilityResolutionReason.kt | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt b/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt index b195fafaaf08d..02b7821a459da 100644 --- a/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt +++ b/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt @@ -40,6 +40,7 @@ enum class VulnerabilityResolutionReason { * The code in which the vulnerability was found is neither invoked in the project's code nor indirectly * via another open source component. */ + @Deprecated("Use NOT_EXPLOITABLE_VULNERABILITY instead", replaceWith = ReplaceWith("NOT_EXPLOITABLE_VULNERABILITY")) INEFFECTIVE_VULNERABILITY, /** @@ -60,6 +61,12 @@ enum class VulnerabilityResolutionReason { */ NOT_A_VULNERABILITY, + /** + * The vulnerability exists in a component, but is not exploitable due to the product's specific architecture or + * configuration. + */ + NOT_EXPLOITABLE_VULNERABILITY, + /** * The vulnerability is acknowledged, but a conscious, documented decision is made to not apply a fix or mitigation. */ From 59bc685343a656256c698eb0b9841f9dcb4698db Mon Sep 17 00:00:00 2001 From: Sebastian Schuberth Date: Tue, 23 Sep 2025 18:40:05 +0200 Subject: [PATCH 4/4] chore(model): Deprecated `INVALID_MATCH_VULNERABILITY` Suggest `FALSE_POSITIVE_VULNERABILITY` instead which is a bit more common and general as it does not imply that the false positive was due to an "invalid match". Signed-off-by: Sebastian Schuberth --- .../src/main/kotlin/config/VulnerabilityResolutionReason.kt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt b/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt index 02b7821a459da..1f421ba1285ef 100644 --- a/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt +++ b/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt @@ -31,6 +31,11 @@ enum class VulnerabilityResolutionReason { */ CANT_FIX_VULNERABILITY, + /** + * The finding is not actionable because it is an error, out of scope, or intended behavior. + */ + FALSE_POSITIVE_VULNERABILITY, + /** * The required fix (e.g. patch, update) has been successfully applied and verified, eliminating the vulnerability. */ @@ -47,6 +52,7 @@ enum class VulnerabilityResolutionReason { * The vulnerability is irrelevant due to a tooling or database mismatch, e.g., the package version used * does not match the version for which the vulnerability provider has reported a vulnerability. */ + @Deprecated("Use FALSE_POSITIVE_VULNERABILITY instead", replaceWith = ReplaceWith("FALSE_POSITIVE_VULNERABILITY")) INVALID_MATCH_VULNERABILITY, /**