-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Be more specific in the Sample Scenario #17
Comments
Thanks!
I think this is true — but I also think it's just an implementation detail of the VEX data distribution model the supplier happens to use. I think considering the new document to be an update of the first is fine, but it doesn't matter whether the supplier is literally updating an existing resource or regenerating a new resource that includes additional data. And the consumer's means of fetching the latest VEX data doesn't necessarily need to be aware of the difference here, as long as it can reliably fetch the latest VEX data.
This is a good point. I think this could be more clear. (Also feel free to send a PR!) |
I disagree. It makes a difference in terms of the timestamps (see #18) and document Ids. If it's a new document id needs a new ID, if the old one is updated the |
I think both cases are correct, you can update the impact status by issuing a new document, or by updating both. As Dan says it is just a detail of how you implement it and as Thomas mentions here, there are changes you need to do to the document contents. Perhaps the documentation should mention both scenarios: What happens if you forge new documents (issue new document IDs, creation timestamp, etc) and what happens when you update an existing document (bump last_updated timestamp, increase the document version, etc). I think both ways of issuing VEX data will be frequent so it is not overkill to show samples for both. |
The current version reads:
I have a few comments here:
#2
could actually be an update of the VEX document issued in#1
. (This also makes sense as you only have to discover the VEX once and then get the latest info whenever you retrieve the VEX.)The text was updated successfully, but these errors were encountered: