Vulnerability States

Every vulnerability entry has a state that reflects where it sits in the triage lifecycle. State is not written into the YAML directly — it is derived from the entry’s verdict and resolution fields each time a report is generated.

The states

State Derivation Meaning

under investigation

no verdict

The finding has been registered but triage has not concluded.

open

verdict is affected, no resolution

Triage is complete and the vulnerability impacts the project. The entry awaits a fix.

resolved

resolution recorded

A resolution has been recorded for the entry. The maintainer’s triage work is complete.

dismissed

verdict is not affected or risk acceptable, no resolution

Triage concluded that no remediation will be applied. Either the project is not affected, or the risk was assessed and accepted.

Derivation precedence

The rules are evaluated in this order:

  1. If no verdict is recorded, state is under investigation.

  2. Otherwise, if a resolution is recorded, state is resolved (regardless of verdict).

  3. Otherwise, state is derived from the verdict: affected yields open; not affected and risk acceptable yield dismissed.

Terminal states

resolved and dismissed are both terminal. The distinction is intentional: resolved means a resolution was recorded (a fix, or a hygiene update on a not affected entry), dismissed means the entry was closed without any resolution because none was warranted. A not affected entry that later records a hygiene update moves from dismissed to resolved and appears in the Fixed In column.

Perspective

By default, state describes the maintainer’s view: has the triage team finished its work on this entry? It does not describe whether a currently running release contains the fix, so an entry can be resolved while the release carrying the fix is still unpublished.

When --release X is supplied to vulnlog report or vulnlog suppress, state shifts to a release-scoped view: a resolution only counts when its target release ships at-or-before X. A resolution pointing at a later or unpublished release is ignored for state classification, so the entry falls back to the state derived from its verdict (open for affected, dismissed for not affected and risk acceptable). The Fixed In column (the entry’s resolution.in field) still shows the recorded fix release for reference.

Typical progression

  1. New entry. No verdict. State is under investigation.

  2. Triage complete. verdict set.

    • Verdict affected: state is open, awaiting a fix.

    • Verdict not affected: state is dismissed. No further action is required.

    • Verdict risk acceptable: state is dismissed. The risk is accepted without remediation.

  3. Closure. resolution recorded. State is resolved regardless of verdict. The verdict is retained.

State in the HTML report

The HTML report produced by vulnlog report is the project owners view (the view from and for the project maintainer team) of the triage backlog across all tracked releases. Entries in every state appear in the same table so the maintainer can see the complete picture.

Column Content

State

under investigation, open, resolved, or dismissed.

Releases

Releases in which the vulnerability was reported.

Fixed In

Release in which the resolution was recorded. Empty for entries that are not resolved.

See vulnlog report for command usage and filters.