ppkarwasz commented on PR #163: URL: https://github.com/apache/solr-site/pull/163#issuecomment-3723662809
I have tested both workflows (specifically in the `vex-generation-toolset` fork of this repo; see, for example, vex-generation-toolset/solr-site#1 and vex-generation-toolset/solr-site#2) to validate their behavior. A few important notes on the current state: * The workflows depend on data being available in the **callgraph metadata repository** maintained under the **vex-generation-toolset** org: [https://github.com/vex-generation-toolset/callgraph-metadata](https://github.com/vex-generation-toolset/callgraph-metadata). That repo contains call graphs for most Apache Solr 9.10.0 dependencies, but there are gaps (e.g., Scala- and Kotlin-based artifacts and some code-generated artifacts are not currently included). * We (@openrefactorymunawar and I) are actively maintaining that repository and adding CVE root causes as they are disclosed. At the moment there is a manual review step before inclusion, but we are considering maintaining separate `reviewed` and `unreviewed` branches to improve iteration and automation. As a result of the above, the `generate_vex` workflow can sometimes fail due to missing metadata: this is an expected limitation at this stage, not a flaw in the workflow definitions themselves. Since this would be the first upstream deployment of the tooling, it’s likely that users will encounter bugs or limitations. For example, the reachability analysis run in vex-generation-toolset/solr-site#2 was not able to detect exploitability for CVE-2025-54988 (PR #162) due to the underlying graph data. **Request for feedback:** * Does the project feel comfortable adopting these workflows in the current form given the external data dependency? * Should we provide guidance or fallback behavior for missing metadata (e.g., skip with warning vs. fail)? * Are there suggestions for first-class integration of call graph data into the Solr project process or tooling? Happy to iterate on this based on feedback from the community and reviewers. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
