This is an automated email from the ASF dual-hosted git repository.
pkarwasz pushed a commit to branch feat/openvex-file
in repository https://gitbox.apache.org/repos/asf/commons-text.git
The following commit(s) were added to refs/heads/feat/openvex-file by this push:
new 0ddf5e12 fix: Add required `action_statement` field
0ddf5e12 is described below
commit 0ddf5e12211d9df42c99da4131606d4bdb8e793a
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Thu Jul 31 14:12:28 2025 +0200
fix: Add required `action_statement` field
---
src/conf/security/VEX.cyclonedx.xml | 4 ++++
src/conf/security/generate_openvex.py | 7 +++++++
src/conf/security/openvex.json | 1 +
3 files changed, 12 insertions(+)
diff --git a/src/conf/security/VEX.cyclonedx.xml
b/src/conf/security/VEX.cyclonedx.xml
index 85de5662..2fd4d7e4 100644
--- a/src/conf/security/VEX.cyclonedx.xml
+++ b/src/conf/security/VEX.cyclonedx.xml
@@ -64,6 +64,10 @@
</source>
</reference>
</references>
+ <recommendation>
+Check if untrusted user input is passed to the `StringSubstitutor` or
`StringLookup` classes,
+and if so, upgrade to Apache Commons Lang 3.18.0 or later.
+ </recommendation>
<analysis>
<state>exploitable</state>
<responses>
diff --git a/src/conf/security/generate_openvex.py
b/src/conf/security/generate_openvex.py
index b77e0dc8..8dd62a59 100755
--- a/src/conf/security/generate_openvex.py
+++ b/src/conf/security/generate_openvex.py
@@ -121,6 +121,13 @@ def to_openvex_statement(vuln: ET.Element, product: dict)
-> dict:
if detail:
statement['status_notes'] = detail
+ remediation = _find_stripped_text(vuln, 'b:recommendation')
+ if remediation:
+ statement['action_statement'] = remediation
+ else:
+ if statement['status'] == 'affected':
+ raise ValueError("Affected vulnerabilities must have a
<recommendation> element")
+
_add_optional_date(analysis, 'b:firstIssued', statement, 'timestamp')
_add_optional_date(analysis, 'b:lastUpdated', statement, 'last_updated')
diff --git a/src/conf/security/openvex.json b/src/conf/security/openvex.json
index a287ca50..175568b7 100644
--- a/src/conf/security/openvex.json
+++ b/src/conf/security/openvex.json
@@ -25,6 +25,7 @@
},
"status": "affected",
"status_notes": "CVE-2025-48924 is exploitable in Apache Commons Text
versions 1.5 and later, but only when all the following conditions are
met:\n\n* The consuming project includes a vulnerable version of Commons Text
on the classpath.\n As of version `1.14.1`, Commons Text no longer references
a vulnerable version of the `commons-lang3` library in its POM file.\n*
Unvalidated or unsanitized user input is passed to the `StringSubstitutor` or
`StringLookup` classes.\n* An interpol [...]
+ "action_statement": "Check if untrusted user input is passed to the
`StringSubstitutor` or `StringLookup` classes,\nand if so, upgrade to Apache
Commons Lang 3.18.0 or later.",
"timestamp": "2025-07-29T12:26:42Z",
"last_updated": "2025-07-29T12:26:42Z"
}
