A customer has raised concerns regarding how Advanced Cluster Security (ACS) evaluates and displays CVEs marked as "Will Not Fix."
According to Red Hat CVE documentation, the "Will Not Fix" status means the issue affects a product version but will not be addressed due to complexity or risk.
However, in ACS, this status is interpreted as the cluster being affected, which leads to confusion for customer.

Problem Statement:

ACS is aware of the OpenShift cluster version and the versions of individual components. However, the current CVE evaluation logic does not account for changes in fix status across versions.

For example:

• A CVE might be marked as “Will Not Fix” for OpenShift 4.12.

• The same CVE may be fixed in 4.14.

• If the customer upgrades to 4.14, ACS should ideally update the CVE status to "Not Affected" based on the known fixed version.

• It is confirmed that this behavior is observed for the same component across both versions.

Current Behavior:

• ACS continues to display the CVE as “Will Not Fix” even if the running version includes a fix.

Enhancement Request:
Modify ACS to evaluate CVEs more accurately based on the current cluster version and component versions.

If a CVE is fixed in newer versions, and the cluster is running one of those versions, the CVE should be reported as "Not Affected" rather than retaining the "Will Not Fix" status.