feat(advisor): Add resolution reason for incorrect vulnerabilities

In some cases CVEs are deemed to not be valid vulnerabilities, see [1] for an example. ORT's advisors will still report this CVE with no correct way to resolve the vulnerability. Add a separate resolution reason for this case. [1]: https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-1042268 Signed-off-by: Marcel Bochtler <marcel.bochtler@bosch.com>
oss-review-toolkit · Aug 26, 2024 · 26a0401 · 26a0401
1 parent 7ad4bfe
commit 26a0401
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/integrations/schemas/resolutions-schema.json b/integrations/schemas/resolutions-schema.json
@@ -110,6 +110,7 @@
         "INEFFECTIVE_VULNERABILITY",
         "INVALID_MATCH_VULNERABILITY",
         "MITIGATED_VULNERABILITY",
+        "NOT_A_VULNERABILITY",
         "WILL_NOT_FIX_VULNERABILITY",
         "WORKAROUND_FOR_VULNERABILITY"
       ]

diff --git a/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt b/model/src/main/kotlin/config/VulnerabilityResolutionReason.kt
@@ -49,6 +49,12 @@ enum class VulnerabilityResolutionReason {
      */
     MITIGATED_VULNERABILITY,
 
+    /**
+     * The vulnerability was reported, and got a CVE assigned. However, the CVE was later deemed to not be a
+     * vulnerability.
+     */
+    NOT_A_VULNERABILITY,
+
     /**
      * This vulnerability will never be fixed, e.g., because the package which is affected is orphaned,
      * declared end-of-life, or otherwise deprecated.