C004 — H2:¶
Contents¶
Statement: The 95% figure is inaccurate or significantly overstated. The actual percentage of vulnerable components with available fixes is substantially lower, or the methodology for determining 'fix available' is flawed.
Supporting Evidence Would Show¶
- The Sonatype report containing a different figure
- Evidence that 'fix available' uses an overly broad definition (e.g., counting any newer version as a fix even if it doesn't address the specific vulnerability)
- Competing analyses showing lower fix-availability rates
- Academic studies on vulnerability remediation showing that many fixes require breaking API changes that make 'fix available' misleading
Eliminating Evidence Would Show¶
- Multiple independent sources confirming that 90%+ of vulnerable components have available fixes
- Methodology documentation showing a rigorous definition of 'fix available' that accounts for breaking changes
- Cross-validation against NVD/CVE data confirming high fix-availability rates