CUSTOMER PROBLEM

In Clair, ClairCore now uses the Vulnerability Exploitability Exchange (VEX) profile in CSAF format which describes which Red Hat products and which components are affected (or known not to be not affected) by a specific vulnerability identified by the Common Vulnerability and Exposures ID (CVE).

In case of Red Hat VEX data for "affected" Red Hat products and their components it may link to an explanatory remediation covering why a certain product may not have an available fix.
In the case where the "remediation" category = "no_fix_planned" the details provide information why the patch will not be released by Red Hat. That information is extremely valuable for customers in clearly understanding "the why" behind the "no_fix_planned" remediation status for those products. 

Example: cve-2022-48935 (search for category = "no_fix_planned" )

Reference: ProdSec blog

USERS

SecOps, Vulnerability management team

ACCEPTANCE CRITERIA

• ClairCore can accurately determine and populate the "details" associated with the "remediation" category = "no_fix_planned"