Hello! My name is Hadas, I'm in the Snyk Security Group. I've been in contact with you a while back regarding the `no-dsa` field and its different tags.
I just want to further confirm if our understanding of the usage of the various terms (`no-dsa`, `ignored`, `postponed`, "Minor issue") is correct: 1. From this <https://wiki.debian.org/LTS/Development#:~:text=%22no%2Ddsa%22%20is,the%20victim%27s%20infrastructure.> documentation it seems that "Minor issue" should not be used for drawing conclusions on the severity of the vulnerability, but from this <https://security-team.debian.org/security_tracker.html#issues-not-warranting-a-security-advisory:~:text=Sometimes%20an%20issue%20might%20not%20warrant%20an%20(immediate)%20security%20advisory%2C%20for%20example%20if%20its%20severity%20is%20minor.%20When%20that%27s%20the%20case%2C%20they%20are%20marked%20with%20a%20distribution%20tag%2C%20the%20%3Cno%2Ddsa%3E%20state%20and%20an%20explanation.> documentation it does seem like the severity might mean "minor" in these cases. Could you please clarify that? 2. In our previous conversation there was a suggestion only to use the `ignored` and `postponed` tags to understand the priority of the vulnerability. I do see that there are certain vulnerabilities, for example CVE-2022-45198 <https://security-tracker.debian.org/tracker/CVE-2022-45198> in Buster, that are only marked with "Minor issue" in the `no-dsa` field, and don't have either of the `ignored` or `postponed` tags. Could you please help us understand what we should do in such cases? What does the "Minor issue" suggest here? Thank you for the help, Hadas Hadas Bloom Senior Security Analyst
