VEX affected cardinalities #908
Conversation
|
@rnjudge - If you could just give this a quick review, I can merge |
|
Note: This is a change that worth to be logged in the change log. Tag #889 so we won't forget. |
|
@goneall @ilans I agree with the min count changing to 1 in accordance with VEX standard. Is there any reason there can't be more than one, though? I suppose the VEX language says "an action statement" implying one but does not use strict language like "should" or "must". All of this to say... +1 to merge but want to make sure we are future proofing the cardinality as well. |
|
Agree that from the language "must have an action statement", If we have two statements, we certainly have a statement (and fulfill the requirement). Unfortunately, I think with the current design, if we have more than one A new |
|
Based on the above comments - I'm thinking we just go with a cardinality I'll go ahead and approve and await a second approver. |
The description in actionStatement states that:
"When an element is referenced with a VexAffectedVulnAssessmentRelationship, the relationship MUST include one actionStatement that SHOULD describe actions to remediate or mitigate the vulnerability".
This conforms to VEX_Use_Cases_Aprill2022:
"If a status is AFFECTED, the VEX document must have an action statement that tells the product user what to do".
The cardinality of actionStatement in VexAffectedVulnAssessmentRelationship is 0..1 but should to be 1..1.
It is optional and records the time when the actionStatement was first communicated (this conforms to the VEX docs).
The cardinality of actionStatementTime in VexAffectedVulnAssessmentRelationship is 0..* but should to be 0..1.