1# Possible options for CVE statuses 2 3# used by this class internally when fix is detected (NVD DB version check or CVE patch file) 4CVE_CHECK_STATUSMAP[patched] = "Patched" 5# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch) 6CVE_CHECK_STATUSMAP[backported-patch] = "Patched" 7# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports 8CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched" 9# use when NVD DB does not mention correct version or does not mention any verion at all 10CVE_CHECK_STATUSMAP[fixed-version] = "Patched" 11 12# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored 13CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" 14# use when CVE is confirmed by upstream but fix is still not available 15CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" 16 17# used for migration from old concept, do not use for new vulnerabilities 18CVE_CHECK_STATUSMAP[ignored] = "Ignored" 19# use when NVD DB wrongly indicates vulnerability which is actually for a different component 20CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" 21# use when upstream does not accept the report as a vulnerability (e.g. works as designed) 22CVE_CHECK_STATUSMAP[disputed] = "Ignored" 23# use when vulnerability depends on build or runtime configuration which is not used 24CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" 25# use when vulnerability affects other platform (e.g. Windows or Debian) 26CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" 27# use when upstream acknowledged the vulnerability but does not plan to fix it 28CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" 29