From bd47c8e153e1a18890e74fee8504043b9e8eaa9b Mon Sep 17 00:00:00 2001
From: Gareth Rushgrove <gareth@morethanseven.net>
Date: Sat, 4 Feb 2023 16:22:11 +0000
Subject: [PATCH] Picky change to example justification in the spec

I feel like the statement

> The vulnerable code was removed with a custom patch

fits `vulnerable_code_not_present`:

> The vulnerable component is included in artifact, but the vulnerable code is not present. Typically, this case occurs when source code is configured or built in a way that excluded the vulnerable code.

better than `component_not_present`:

> The product is not affected by the vulnerability because the component is not included. The status justification may be used to preemptively inform product users who are seeking to understand a vulnerability that is widespread, receiving a lot of attention, or is in similar products.

The statement specifically states "vulnerable *code* was removed" via a patch. Rather than the whole component being removed.

Signed-off-by: Gareth Rushgrove <gareth@morethanseven.net>
---
 OPENVEX-SPEC.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/OPENVEX-SPEC.md b/OPENVEX-SPEC.md
index f071c7c..6c8df74 100644
--- a/OPENVEX-SPEC.md
+++ b/OPENVEX-SPEC.md
@@ -221,7 +221,7 @@ readable justification labels and optionally enrich the statement with an
         "pkg:apk/wolfi/product@1.23.0-r1?arch=armv7",
       ],
       "status": "not_affected",
-      "justification": "component_not_present",
+      "justification": "vulnerable_code_not_present",
       "impact_statement": "The vulnerable code was removed with a custom patch"
     }