On 9/05/23 9:32 pm, Mikko Rapeli wrote:

On Tue, May 09, 2023 at 09:02:59AM +0000, Ross Burton wrote:

On 8 May 2023, at 09:57, Adrian Freihofer via lists.openembedded.org <adrian.freihofer=gmail.com@lists.openembedded.org> wrote:

Is there any defined language that we can simply adopt?

Since a lot of people talk about SPDX solving these issues would be nice
to know how that is going to work. I can't parse
https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k17-linking-to-a-code-fix-for-a-security-issue
and figure out how to mark a CVE issue which has been ignored after
analysis.

Perhaps this?

https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k16-linking-to-a-vulnerability-disclosure-document

To communicate that a package is not vulnerable to a specific vulnerability it is recommended to reference a web page indicating why given vulnerabilities are not applicable.
"externalRefs" : [ {
  "referenceCategory" : "SECURITY",
  "referenceLocator" : "https://example.com/product-x/security-info.html",
  "referenceType" : "advisory"
} ]