Skip to content

feat: Add experimental CycloneDX VEX file#446

Merged
garydgregory merged 3 commits intomasterfrom
feat/vex-CVE-2025-48924
Jul 29, 2025
Merged

feat: Add experimental CycloneDX VEX file#446
garydgregory merged 3 commits intomasterfrom
feat/vex-CVE-2025-48924

Conversation

@ppkarwasz
Copy link
Contributor

@ppkarwasz ppkarwasz commented Jul 29, 2025

This commit introduces an experimental CycloneDX VEX document that:

  • Provides an analysis of CVE-2025-48924 as it pertains to this library.
  • Is committed to the Git repository only (not published to the website), allowing it to be retrieved via raw.githubusercontent.com.

This VEX file is intended to support consumers in evaluating the exploitability of known vulnerabilities in Apache Commons BCEL.

  • I used AI to proofread the text in this pull request.
  • Each commit in the pull request should have a meaningful subject line and body. Note that a maintainer may squash commits during the merge process.

@ppkarwasz
feat: Add experimental CycloneDX VEX file
1da54bb 
This commit introduces an experimental CycloneDX VEX document that:

* Provides an analysis of CVE-2025-48924 as it pertains to this library.
* Is committed to the **Git repository only** (not published to the website), allowing it to be retrieved via `raw.githubusercontent.com`.

This VEX file is intended to support consumers in evaluating the exploitability of known vulnerabilities in Apache Commons BCEL.
garydgregory
garydgregory requested changes Jul 29, 2025
View reviewed changes
Copy link
Member

@garydgregory garydgregory left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @ppkarwasz

As we discussed on Slack, I think we can keep this experiment under src/conf/secutity like Commons Compress (https://github.com/apache/commons-compress/blob/master/src/conf/security/openvex.json).

I don't think we should invent a new top-level source directory that is a surprise for normal Maven users.

I don't see src/cyclonedx as needed by https://cyclonedx.github.io/cyclonedx-maven-plugin/

@ppkarwasz
Copy link
Contributor Author

ppkarwasz commented Jul 29, 2025

@garydgregory, thanks for the fast review! 💯
I moved the files as suggested in b56ccbd

@ppkarwasz ppkarwasz requested a review from garydgregory July 29, 2025 14:28
ppkarwasz added a commit to apache/commons-text that referenced this pull request Jul 29, 2025
@ppkarwasz
fix: Move files and fix copy/paste problems
8d3a87c 
Moves files as suggested in apache/commons-bcel#446 and fixes copy/paste mistakes.
@garydgregory garydgregory merged commit 3111155 into master Jul 29, 2025
27 of 31 checks passed
@garydgregory
Copy link
Member

garydgregory commented Jul 29, 2025

Merged, ty @ppkarwasz!

garydgregory added a commit that referenced this pull request Jul 29, 2025
@garydgregory
Add experimental CycloneDX VEX file #446
13344e8
garydgregory pushed a commit to apache/commons-text that referenced this pull request Jul 29, 2025
@ppkarwasz
feat: Add experimental CycloneDX VEX file (#683)
b57a280 
* feat: Add experimental CycloneDX VEX file

This commit introduces an experimental CycloneDX VEX document that:

* Provides an analysis of **CVE-2025-48924** as it pertains to this library.
* Is committed to the **Git repository only** (not published to Maven Central), allowing it to be retrieved via `raw.githubusercontent.com`.

This VEX file is intended to support consumers in evaluating the exploitability of known vulnerabilities in Apache Commons Text.

* fix: Move files and fix copy/paste problems

Moves files as suggested in apache/commons-bcel#446 and fixes copy/paste mistakes.
ppkarwasz added a commit to apache/commons-text that referenced this pull request Aug 4, 2025
@ppkarwasz
fix: Ensure unique serial number for VEX file
09006a5 
This update corrects the serial number in the VEX file, which was mistakenly copied from apache/commons-bcel#446. With this fix, all published VEX files will now have unique serial numbers, preventing potential conflicts or duplication.
@ppkarwasz ppkarwasz mentioned this pull request Aug 4, 2025
Merged
garydgregory pushed a commit to apache/commons-text that referenced this pull request Aug 4, 2025
@ppkarwasz
fix: Ensure unique serial number for VEX file (#686)
8d3f4aa 
This update corrects the serial number in the VEX file, which was mistakenly copied from apache/commons-bcel#446. With this fix, all published VEX files will now have unique serial numbers, preventing potential conflicts or duplication.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garydgregory garydgregory Awaiting requested review from garydgregory

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ppkarwasz @garydgregory