In the lab "vulnerability-review", the learner is instructed as follows:

"Defer the RHSA-2023:4706 CVE for 14 days. Set the rationale to In progress."

I assumed the instructions meant a CVE deferral request should be submitted and approved for the identified CVE, as otherwise the deferral request would not take effect. Upon grading, I was surprised to be informed that the grading script accepted only pending deferrals.

Grading script rejects CVE deferral which is already approvedOffending line in grading script rejecting non-PENDING CVE deferralsMy CVE deferral was approved

In an attempt to satisfy the grading script, I cancelled the approved CVE deferral and created a new one in pending state. Unfortunately, the grading script still marked the deliverable as FAIL, since the (now cancelled) original CVE deferral request appears first in the API response and the grading script returns immediately on the 1st deferral with a matching CVE ID.

Grading script helper function returns 1st CVE deferral only with matching CVECreating a new CVE deferral in PENDING state is ignored by grading script leading to erroneous FAIL

This leads to the following issues and questions:

1. Since the grading script expects a pending, non-approved CVE deferral request, it should state this requirement explicitly in the instructions instead of just saying "defer the CVE". The latter could be mis-interpreted as going through the entire process and ensuring the deferral is in proper effect.

2. The grading script should allow the learner to fix their "mistake" allow a re-submit of the CVE deferral in PENDING state to PASS, instead of getting stuck on the 1st approved/denied/cancelled deferral and preventing the learner from completing the exercise.

3. In the companion exam EX430, how should the examinee interpret a similar objective "defer the vulnerability CVE-XXXX-XXXX"? In my opinion, having marks deducted for a similar misunderstanding would be rather unfortunate!