On 9/05/23 9:32 pm, Mikko Rapeli wrote:
> On Tue, May 09, 2023 at 09:02:59AM +0000, Ross Burton wrote:
>> On 8 May 2023, at 09:57, Adrian Freihofer via lists.openembedded.org<adrian.freihofer=gmail.com@lists.openembedded.org>  wrote:
>> Is there any defined language that we can simply adopt?
> Since a lot of people talk about SPDX solving these issues would be nice
> to know how that is going to work. I can't parse
> https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k17-linking-to-a-code-fix-for-a-security-issue
> and figure out how to mark a CVE issue which has been ignored after
> analysis.


Perhaps this?

https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k16-linking-to-a-vulnerability-disclosure-document

    To communicate that a package is not vulnerable to a specific
    vulnerability it is recommended to reference a web page indicating
    why given vulnerabilities are not applicable.

    |"externalRefs" : [ { "referenceCategory" : "SECURITY",
    "referenceLocator" :
    "https://example.com/product-x/security-info.html", "referenceType"
    : "advisory" } ] |