Picky change to example justification in the spec

I feel like the statement > The vulnerable code was removed with a custom patch fits `vulnerable_code_not_present`: > The vulnerable component is included in artifact, but the vulnerable code is not present. Typically, this case occurs when source code is configured or built in a way that excluded the vulnerable code. better than `component_not_present`: > The product is not affected by the vulnerability because the component is not included. The status justification may be used to preemptively inform product users who are seeking to understand a vulnerability that is widespread, receiving a lot of attention, or is in similar products. The statement specifically states "vulnerable *code* was removed" via a patch. Rather than the whole component being removed. Signed-off-by: Gareth Rushgrove <[email protected]>
openvex · Feb 4, 2023 · bd47c8e · bd47c8e
1 parent 808f7a8
commit bd47c8e
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/OPENVEX-SPEC.md b/OPENVEX-SPEC.md
@@ -221,7 +221,7 @@ readable justification labels and optionally enrich the statement with an
         "pkg:apk/wolfi/[email protected]?arch=armv7",
       ],
       "status": "not_affected",
-      "justification": "component_not_present",
+      "justification": "vulnerable_code_not_present",
       "impact_statement": "The vulnerable code was removed with a custom patch"
     }