docs: documentation regarding TRIAGE.json

intel · Aug 14, 2024 · 528b15a · 528b15a
1 parent 149b78d
commit 528b15a
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 11 deletions.
diff --git a/TRIAGE.json b/TRIAGE.json
@@ -30,7 +30,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "false positive because the python API for zstandard has lower version numbers than the main zstandard library"
          },
          "affects": [
             {
@@ -65,7 +65,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "false positive because the python API for zstandard has lower version numbers than the main zstandard library"
          },
          "affects": [
             {
@@ -100,7 +100,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "RSA detected is rust library."
          },
          "affects": [
             {
@@ -135,7 +135,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "arrow is reporting CVEs found for another product named arrow"
          },
          "affects": [
             {
@@ -170,7 +170,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "arrow is reporting CVEs found for another product named arrow"
          },
          "affects": [
             {
@@ -205,7 +205,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "arrow is reporting CVEs found for another product named arrow"
          },
          "affects": [
             {
@@ -240,7 +240,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "arrow is reporting CVEs found for another product named arrow"
          },
          "affects": [
             {
@@ -275,7 +275,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "arrow is reporting CVEs found for another product named arrow"
          },
          "affects": [
             {
@@ -310,7 +310,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "arrow is reporting CVEs found for another product named arrow"
          },
          "affects": [
             {
@@ -415,7 +415,7 @@
          "analysis": {
             "state": "false_positive",
             "response": [],
-            "detail": "NewFound"
+            "detail": "docutils is reporting CVEs found for another product with the same name"
          },
          "affects": [
             {
@@ -450,7 +450,7 @@
          "analysis": {
             "state": "not_affected",
             "response": [],
-            "detail": "NewFound"
+            "detail": "Applied the appropriate mitigations to avoid malicious images"
          },
          "affects": [
             {

diff --git a/doc/triaging_process.md b/doc/triaging_process.md
@@ -247,6 +247,13 @@ Note: Always pass value for `-rr` flag in double quotes
   ]
 }
 ```
+### Why We Use a `TRIAGE.json` File Inside the CVE Binary Tool Repository?
+
+The CVE Binary Tool provides functionality to include scans as part of a GitHub continuous integration (CI) workflow using the [`cve-bin-tool-action`](https://github.com/intel/cve-bin-tool-action). This action is used to scan the repository for vulnerabilities, with the results displayed in the security tab of the scanned repository.
+
+However, the generated report may sometimes include false positives. For example, CVE Binary Tool uses the Python arrow package, but the vulnerability report could mistakenly flag a vulnerability associated with Rust's arrow package, which shares the same name. Additionally, some detected vulnerabilities may not affect the repository being scanned; they might be mitigated, or the vulnerable function might not be used, as discussed earlier.
+
+To address this, cve-bin-tool-action provides an option to filter out FalsePositive and NotAffected vulnerabilities using the vex_file option in the [`cve_bin_tool_action.yml`](https://github.com/intel/cve-bin-tool/blob/main/.github/workflows/cve_bin_tool_action.yml) configuration file, Such packages can be marked as NotAffected or FalsePositive in the TRIAGE.json file, which can then be used with cve-bin-tool-action to ensure that these entries are appropriately filtered out during the scanning process. reference: [`Issue #3193`](https://github.com/intel/cve-bin-tool/issues/3193)
 
 ### Limitations :