This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-bcel.git
The following commit(s) were added to refs/heads/master by this push:
new 31111551 feat: Add experimental CycloneDX VEX file (#446)
31111551 is described below
commit 3111155144fd7ee31ea2f13cfa90f67e49feb6bf
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Tue Jul 29 19:09:11 2025 +0200
feat: Add experimental CycloneDX VEX file (#446)
* feat: Add experimental CycloneDX VEX file
This commit introduces an experimental CycloneDX VEX document that:
* Provides an analysis of CVE-2025-48924 as it pertains to this library.
* Is committed to the **Git repository only** (not published to the
website), allowing it to be retrieved via `raw.githubusercontent.com`.
This VEX file is intended to support consumers in evaluating the
exploitability of known vulnerabilities in Apache Commons BCEL.
* fix: Address review suggestions
* fix: Link in readme file
---
src/conf/security/README.md | 61 +++++++++++++++++++
src/conf/security/VEX.cyclonedx.xml | 116 ++++++++++++++++++++++++++++++++++++
2 files changed, 177 insertions(+)
diff --git a/src/conf/security/README.md b/src/conf/security/README.md
new file mode 100644
index 00000000..847f4ccc
--- /dev/null
+++ b/src/conf/security/README.md
@@ -0,0 +1,61 @@
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to you under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+# CycloneDX Documents for Apache Commons BCEL
+
+The Apache Commons BCEL project publishes multiple
[CycloneDX](https://cyclonedx.org/) documents to help consumers assess the
security of their applications using this library:
+
+## SBOM (Software Bill of Materials)
+
+Beginning with version `6.6.0`, Apache Commons BCEL publishes SBOMs in both
**XML** and **JSON** formats to Maven Central. These documents describe all
components and dependencies of the library, following standard Maven
coordinates:
+
+* **Group ID:** `org.apache.bcel`
+* **Artifact ID:** `bcel`
+* **Classifier:** `cyclonedx`
+* **Type:** `xml` or `json`
+
+Each SBOM lists the library’s required and optional dependencies, helping
consumers analyze the software supply chain and manage dependency risk.
+
+> [!NOTE]
+> The versions listed in the SBOM reflect the dependencies used during the
build and test process for that specific release of BCEL.
+> Your own project may use different versions depending on your dependency
management configuration.
+
+## VEX (Vulnerability Exploitability eXchange)
+
+An experimental [VEX](https://cyclonedx.org/capabilities/vex/) document is
also published:
+
+👉
[`https://raw.githubusercontent.com/apache/commons-bcel/refs/heads/master/src/conf/security/VEX.cyclonedx.xml`](VEX.cyclonedx.xml)
+
+This document provides information about the **exploitability of known
vulnerabilities** in the **dependencies** of Apache Commons BCEL.
+
+### When is a dependency vulnerability exploitable?
+
+Because Apache Commons libraries (including BCEL) do **not** bundle their
dependencies, a vulnerability in a dependency is only exploitable if **both**
of the following conditions are true:
+
+1. The vulnerable dependency is included in the consuming project.
+2. Apache Commons BCEL is explicitly listed as affected by the vulnerability.
+
+### Notes and Limitations
+
+* This VEX document is **experimental** and provided **as-is**.
+ The semantics of this document may change in the future.
+* The **absence** of a vulnerability entry does **not** indicate that BCEL is
unaffected.
+* If a version of BCEL is not listed under the `affects` section of a
vulnerability, that version may still be affected or not.
+* Only the **latest major version** of BCEL is currently assessed for
vulnerabilities.
+* The `analysis` field in the VEX file uses **Markdown** formatting.
+
+For more information about CycloneDX, SBOMs, or VEX, visit
[cyclonedx.org](https://cyclonedx.org/).
diff --git a/src/conf/security/VEX.cyclonedx.xml
b/src/conf/security/VEX.cyclonedx.xml
new file mode 100644
index 00000000..06b67bb3
--- /dev/null
+++ b/src/conf/security/VEX.cyclonedx.xml
@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one or more
+ ~ contributor license agreements. See the NOTICE file distributed with
+ ~ this work for additional information regarding copyright ownership.
+ ~ The ASF licenses this file to you under the Apache License, Version 2.0
+ ~ (the "License"); you may not use this file except in compliance with
+ ~ the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+<!--
+ To update this document:
+ 1. Increment the `version` attribute in the <bom> element.
+ 2. Update the `timestamp` in the <metadata> section.
+-->
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6";
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+ xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6
https://cyclonedx.org/schema/bom-1.6.xsd";
+ serialNumber="urn:uuid:f70dec29-fc7d-41f2-8c60-97e9075e0e73"
+ version="1">
+
+ <metadata>
+ <timestamp>2025-07-29T12:26:42Z</timestamp>
+ <component type="library" bom-ref="main_component">
+ <group>org.apache.bcel</group>
+ <name>bcel</name>
+ <cpe>cpe:2.3:a:apache:commons_bcel:*:*:*:*:*:*:*:*</cpe>
+ <purl>pkg:maven/org.apache.bcel/bcel?type=jar</purl>
+ </component>
+ <manufacturer>
+ <name>The Apache Software Foundation</name>
+ <url>https://commons.apache.org</url>
+ <contact>
+ <name>Apache Commons PMC</name>
+ <email>[email protected]</email>
+ </contact>
+ <contact>
+ <name>Apache Commons Security Team</name>
+ <email>[email protected]</email>
+ </contact>
+ </manufacturer>
+ </metadata>
+
+ <vulnerabilities>
+ <vulnerability>
+ <id>CVE-2025-48924</id>
+ <references>
+ <reference>
+ <id>GHSA-j288-q9x7-2f5v</id>
+ <source>
+ <url>https://github.com/advisories/GHSA-j288-q9x7-2f5v</url>
+ </source>
+ </reference>
+ </references>
+ <analysis>
+ <state>not_affected</state>
+ <justification>code_not_reachable</justification>
+ <detail>
+ Apache Commons BCEL is *not* affected by CVE-2025-48924 because the
vulnerable method `ClassUtils.getClass()`
+ is not used in the Apache Commons BCEL codebase nor any of its
runtime dependencies.
+ </detail>
+ <firstIssued>2025-07-29T12:26:42Z</firstIssued>
+ <lastUpdated>2025-07-29T12:26:42Z</lastUpdated>
+ </analysis>
+ <affects>
+ <target>
+ <ref>main_component</ref>
+ <versions>
+ <version>
+ <range><![CDATA[vers:maven/>=6.0|<7]]></range>
+ <status>unaffected</status>
+ </version>
+ </versions>
+ </target>
+ </affects>
+ </vulnerability>
+ </vulnerabilities>
+
+ <annotations>
+ <annotation>
+ <annotator>
+ <individual>
+ <name>Apache Commons PMC</name>
+ <email>[email protected]</email>
+ </individual>
+ </annotator>
+ <timestamp>2025-07-29T12:26:42Z</timestamp>
+ <text>
+ This document provides information about the **exploitability of known
vulnerabilities** in the **dependencies** of Apache Commons BCEL.
+
+ # When is a dependency vulnerability exploitable?
+
+ Because Apache Commons libraries do **not** bundle their dependencies,
a vulnerability in a dependency is only exploitable if **both** of the
following conditions are true:
+
+ 1. The vulnerable dependency is included in the consuming project.
+ 2. Apache Commons BCEL is explicitly listed as affected by the
vulnerability.
+
+ # Notes and Limitations
+
+ * This VEX document is **experimental** and provided **as-is**.
+ The semantics of this document may change in the future.
+ * The **absence** of a vulnerability entry does **not** indicate that
BCEL is unaffected.
+ * If a version of BCEL is not listed under the `affects` section of a
vulnerability, that version may still be affected or not.
+ * Only the **latest major version** of BCEL is currently assessed for
vulnerabilities.
+ * The `analysis` field in the VEX file uses **Markdown** formatting.
+ </text>
+ </annotation>
+ </annotations>
+</bom>
\ No newline at end of file
