Re: Proposal to improve vulnerability and VEX presentation

Fri, 25 Jul 2025 04:58:40 -0700 

Hi Jason,

Thanks for the questions!

On 24.07.2025 18:57, Jason Gerlowski wrote:
> Questions:
> 
> 1. You mention towards the end of your email the idea of migrating the
> VEX entries to Markdown (possibly with YAML).  Is that a popular
> format for VEX files and tooling?  Do we lose anything by migrating
> away from JSON, or is there no real issue there?

What we have in `vex-input.json`[1] is not a complete CycloneDX
document, but a custom schema conceived by Arnout. The file is
post-processed by a custom Pelican plugin.

So, if we migrate away from JSON, the CycloneDX document can be still
generated in JSON format and we don't lose anything.

> 2. Do the VEX entries themselves contain the data necessary to
> generate the website features you proposed.  Maybe I'm just missing
> something, but at a glance I'm not seeing some of the data in the VEX
> file that it seems like you'd need for the website: e.g. Solr version
> information?

The current `vex-input.json` entries have some additional metadata,
besides what ends up in the VEX file. Specifically, it has the data that
ends up in the table at the end of the security page[2].

This metadata would probably need to be expanded to both produce a
better VEX file (currently the VEX file does not list the Solr versions
affected/not affected by the vulnerability) and a better security page
(e.g. allow a longer description of why a vulnerability is not
exploitable). The result might look like this:


```
---
cve: CVE-2025-48924
dependency:
  group: org.apache.commons
  name: commons-lang3
  versions:
    - introduced: 3.0
      fixed: 3.18.0
group: org.apache.solr
name: solr-core
versions:
  - introduced: 9.0.0
    last_affected: 9.8.1
    status: not_affected
    justification: vulnerable_code_not_in_execute_path
summary: Vulnerable `ClassUtils` class is not used
---

CVE-2025-48924 is **not** exploitable in Apache Solr 9.x, because the
vulnerable `ClassUtils` class from
the `commons-lang3` dependency is not used in these versions.
```

I will experiment with Arnouts `vex` Pelican extension to see if this
format is suitable.

Best,
Piotr

[1] https://github.com/apache/solr-site/blob/main/vex-input.json
[2]
https://solr.apache.org/security.html#cve-reports-for-apache-solr-dependencies

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org
For additional commands, e-mail: dev-h...@solr.apache.org

Reply via email to