Vulnerability States

Every vulnerability entry has a state that reflects where it sits in the triage lifecycle. State is not written into the YAML directly — it is derived from the entry’s verdict and resolution fields each time a report is generated.

The states

State Derivation Meaning

State	Derivation	Meaning
`under investigation`	no `verdict`	The finding has been registered but triage has not concluded.
`open`	`verdict` is `affected`, no `resolution`	Triage is complete and the vulnerability impacts the project. The entry awaits a fix.
`resolved`	`resolution` recorded	A resolution has been recorded for the entry. The maintainer’s triage work is complete.
`dismissed`	`verdict` is `not affected` or `risk acceptable`, no `resolution`	Triage concluded that no remediation will be applied. Either the project is not affected, or the risk was assessed and accepted.

under investigation

no verdict

The finding has been registered but triage has not concluded.

open

verdict is affected, no resolution

Triage is complete and the vulnerability impacts the project. The entry awaits a fix.

resolved

resolution recorded

A resolution has been recorded for the entry. The maintainer’s triage work is complete.

dismissed

verdict is not affected or risk acceptable, no resolution

Triage concluded that no remediation will be applied. Either the project is not affected, or the risk was assessed and accepted.

Derivation precedence

The rules are evaluated in this order:

If no verdict is recorded, state is under investigation.
Otherwise, if a resolution is recorded, state is resolved (regardless of verdict).
Otherwise, state is derived from the verdict: affected yields open; not affected and risk acceptable yield dismissed.

Terminal states

resolved and dismissed are both terminal. The distinction is intentional: resolved means a resolution was recorded (a fix, or a hygiene update on a not affected entry), dismissed means the entry was closed without any resolution because none was warranted. A not affected entry that later records a hygiene update moves from dismissed to resolved and appears in the Fixed In column.

Perspective

State describes the maintainer’s view: has the triage team finished its work on this entry? It does not describe whether a currently running release contains the fix.

An entry can be resolved while the release carrying the fix is still unpublished. Release-scoped questions are answered by other means:

Use the --release filter on vulnlog report to list vulnerabilities present in a specific release.
See the Fixed In column (the entry’s resolution.in field) for the release that contains the fix.

Typical progression

New entry. No verdict. State is under investigation.
Triage complete. verdict set.
- Verdict affected: state is open, awaiting a fix.
- Verdict not affected: state is dismissed. No further action is required.
- Verdict risk acceptable: state is dismissed. The risk is accepted without remediation.
Closure. resolution recorded. State is resolved regardless of verdict. The verdict is retained.

State in the HTML report

The HTML report produced by vulnlog report is the project owners view (the view from and for the project maintainer team) of the triage backlog across all tracked releases. Entries in every state appear in the same table so the maintainer can see the complete picture.

Column Content

Column	Content
`State`	`under investigation`, `open`, `resolved`, or `dismissed`.
`Releases`	Releases in which the vulnerability was reported.
`Fixed In`	Release in which the `resolution` was recorded. Empty for entries that are not `resolved`.

State

under investigation, open, resolved, or dismissed.

Releases

Releases in which the vulnerability was reported.

Fixed In

Release in which the resolution was recorded. Empty for entries that are not resolved.

See vulnlog report for command usage and filters.