Description
- I'm splitting off a couple of related issues from micrium uC/Lib vulnerability causes cve-bin-tool to delete triage response data from triage input file #4417 since some of the issues should be fixed in the 3.4 timeline and some will likely wait until after.
From #4417:
However, even though the reports now have the comments from the "details" JSON field back in them, they are missing the "Justification" field string in the beginning of it.
This is almost certainly because we switched to https://github.com/anthonyharrison/lib4vex/ and thus aren't explicitly adding the justification field in ourselves. The question is... should we be? I think existing users of cve-bin-tool would expect it, but anyone using vex triage in other spaces would not, and users might prefer to not have their comments "altered" and it may make more sense to just let the users put whatever they want in that field and only propagate it.
Pinging @anthonyharrison to see if he's got thoughts about the best way to handle this.
If we decide we want it fixed, we can either add code in cve-bin-tool to prepend the justification (though we'll need to be careful not to constantly add more stuff to the start of string), or we could adjust lib4vex to do it there. Again, this depends on what @anthonyharrison wants to do and whether we want cve-bin-tool to make a different choice or not.