A new field in the vulnerability object

[floydtree]

Currently vulnerability object does not have a field in place to account for information indicating if a fix for the vulnerability is available or not. Such information is provided by log sources such AWS Inspector.

I propose we add a boolean field named fix_available in this object.

    "fix_available": {
      "caption": "Fix availability",
      "description": "Indicates if a fix is available for the reported vulnerability.",
      "type": "boolean_t"
    },

[JasonKeirstead]

What does a "fix" mean specifically? A vendor patch? A code release? Where is it obtained? I may be in support of this but I think the field needs to be more clearly defined and understand how it would be used. Telling someone there is a fix without explaining what it is, just opens questions...

[floydtree]

I agree, it would be great if log producers provided these details, but the logs that I looked that didn't have such a resolution. However the way to handle such info would be via using the remediation object. If finding producers have remediation details, they can and should use the remediation object available in the security_findings class.

[JasonKeirstead]

So if remediation already covers this case then why is this field needed? Just check if a remediation exists or not?

[floydtree]

As I mentioned earlier, this specific data, the boolean value fix-available-yes/no is present in the original source data (vuln scanner findings) so we need to account for it. Whether to populate remediation with the relevant details is upto the producer and we cannot control or force that. So, having the corresponding provisions is the way to go, I feel.

[JasonKeirstead]

What I mean is the modeling of the field should be to create a remediation object (which may be mostly all empty, but that's a whole other thing)

Adding another field that just says "remediation exists" when we already have an object for that doesn't make sense