This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch feat/vex-CVE2025-48924 in repository https://gitbox.apache.org/repos/asf/commons-text.git
commit 66555b31126f1db47fb0dc702427811d99a2fdef Author: Piotr P. Karwasz <[email protected]> AuthorDate: Tue Jul 29 16:18:18 2025 +0200 feat: Add experimental CycloneDX VEX file This commit introduces an experimental CycloneDX VEX document that: * Provides an analysis of **CVE-2025-48924** as it pertains to this library. * Is committed to the **Git repository only** (not published to Maven Central), allowing it to be retrieved via `raw.githubusercontent.com`. This VEX file is intended to support consumers in evaluating the exploitability of known vulnerabilities in Apache Commons Text. --- src/cyclonedx/README.md | 61 ++++++++++++++++++++ src/cyclonedx/VEX.cyclonedx.xml | 124 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 185 insertions(+) diff --git a/src/cyclonedx/README.md b/src/cyclonedx/README.md new file mode 100644 index 00000000..4376aadc --- /dev/null +++ b/src/cyclonedx/README.md @@ -0,0 +1,61 @@ +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to you under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> + +# CycloneDX Documents for Apache Commons Text + +The Apache Commons Text project publishes multiple [CycloneDX](https://cyclonedx.org/) documents to help consumers assess the security of their applications using this library: + +## SBOM (Software Bill of Materials) + +Beginning with version `6.6.0`, Apache Commons Text publishes SBOMs in both **XML** and **JSON** formats to Maven Central. These documents describe all components and dependencies of the library, following standard Maven coordinates: + +* **Group ID:** `org.apache.bcel` +* **Artifact ID:** `bcel` +* **Classifier:** `cyclonedx` +* **Type:** `xml` or `json` + +Each SBOM lists the library’s required and optional dependencies, helping consumers analyze the software supply chain and manage dependency risk. + +> [!NOTE] +> The versions listed in the SBOM reflect the dependencies used during the build and test process for that specific release of Text. +> Your own project may use different versions depending on your dependency management configuration. + +## VEX (Vulnerability Exploitability eXchange) + +An experimental [VEX](https://cyclonedx.org/capabilities/vex/) document is also published: + +👉 [`https://raw.githubusercontent.com/apache/commons-bcel/refs/heads/master/src/cyclonedx/VEX.cyclonedx.xml`](VEX.cyclonedx.xml) + +This document provides information about the **exploitability of known vulnerabilities** in the **dependencies** of Apache Commons Text. + +### When is a dependency vulnerability exploitable? + +Because Apache Commons libraries (including Text) do **not** bundle their dependencies, a vulnerability in a dependency is only exploitable if **both** of the following conditions are true: + +1. The vulnerable dependency is included in the consuming project. +2. Apache Commons Text is explicitly listed as affected by the vulnerability. + +### Notes and Limitations + +* This VEX document is **experimental** and provided **as-is**. + The semantics of this document may change in the future. +* The **absence** of a vulnerability entry does **not** indicate that Text is unaffected. +* If a version of Text is not listed under the `affects` section of a vulnerability, that version may still be affected or not. +* Only the **latest major version** of Text is currently assessed for vulnerabilities. +* The `analysis` field in the VEX file uses **Markdown** formatting. + +For more information about CycloneDX, SBOMs, or VEX, visit [cyclonedx.org](https://cyclonedx.org/). diff --git a/src/cyclonedx/VEX.cyclonedx.xml b/src/cyclonedx/VEX.cyclonedx.xml new file mode 100644 index 00000000..7ef177f8 --- /dev/null +++ b/src/cyclonedx/VEX.cyclonedx.xml @@ -0,0 +1,124 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + ~ Licensed to the Apache Software Foundation (ASF) under one or more + ~ contributor license agreements. See the NOTICE file distributed with + ~ this work for additional information regarding copyright ownership. + ~ The ASF licenses this file to you under the Apache License, Version 2.0 + ~ (the "License"); you may not use this file except in compliance with + ~ the License. You may obtain a copy of the License at + ~ + ~ http://www.apache.org/licenses/LICENSE-2.0 + ~ + ~ Unless required by applicable law or agreed to in writing, software + ~ distributed under the License is distributed on an "AS IS" BASIS, + ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ~ See the License for the specific language governing permissions and + ~ limitations under the License. + --> +<!-- + To update this document: + 1. Increment the `version` attribute in the <bom> element. + 2. Update the `timestamp` in the <metadata> section. +--> +<bom xmlns="http://cyclonedx.org/schema/bom/1.6"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6 https://cyclonedx.org/schema/bom-1.6.xsd"; + serialNumber="urn:uuid:f70dec29-fc7d-41f2-8c60-97e9075e0e73" + version="1"> + + <metadata> + <timestamp>2025-07-29T12:26:42Z</timestamp> + <component type="library" bom-ref="main_component"> + <group>org.apache.commons</group> + <name>commons-text</name> + <cpe>cpe:2.3:a:apache:commons_text:*:*:*:*:*:*:*:*</cpe> + <purl>pkg:maven/org.apache.commons/commons-text?type=jar</purl> + </component> + <manufacturer> + <name>The Apache Software Foundation</name> + <url>https://commons.apache.org</url> + <contact> + <name>Apache Commons PMC</name> + <email>[email protected]</email> + </contact> + <contact> + <name>Apache Commons Security Team</name> + <email>[email protected]</email> + </contact> + </manufacturer> + </metadata> + + <vulnerabilities> + <vulnerability> + <id>CVE-2025-48924</id> + <references> + <reference> + <id>GHSA-j288-q9x7-2f5v</id> + <source> + <url>https://github.com/advisories/GHSA-j288-q9x7-2f5v</url> + </source> + </reference> + </references> + <analysis> + <state>exploitable</state> + <responses> + <response>update</response> + </responses> + <detail> + CVE-2025-48924 is exploitable in Apache Commons Text versions 1.5 and later, but only when all the following conditions are met: + + * The consuming project includes a vulnerable version of Commons Text on the classpath. + As of version `1.14.1`, Commons Text no longer references a vulnerable version of the `commons-lang3` library in its POM file. + * Unvalidated or unsanitized user input is passed to the `StringSubstitutor` or `StringLookup` classes. + * An interpolator lookup created via `StringLookupFactory.interpolatorLookup()` is used. + + If these conditions are satisfied, an attacker may cause an infinite loop by submitting a specially crafted input such as `${const:...}`. + </detail> + <firstIssued>2025-07-29T12:26:42Z</firstIssued> + <lastUpdated>2025-07-29T12:26:42Z</lastUpdated> + </analysis> + <affects> + <target> + <ref>main_component</ref> + <versions> + <version> + <range><![CDATA[vers:maven/>=1.5|<2]]></range> + <status>affected</status> + </version> + </versions> + </target> + </affects> + </vulnerability> + </vulnerabilities> + + <annotations> + <annotation> + <annotator> + <individual> + <name>Apache Commons PMC</name> + <email>[email protected]</email> + </individual> + </annotator> + <timestamp>2025-07-29T12:26:42Z</timestamp> + <text> + This document provides information about the **exploitability of known vulnerabilities** in the **dependencies** of Apache Commons Text. + + # When is a dependency vulnerability exploitable? + + Because Apache Commons libraries do **not** bundle their dependencies, a vulnerability in a dependency is only exploitable if **both** of the following conditions are true: + + 1. The vulnerable dependency is included in the consuming project. + 2. Apache Commons Text is explicitly listed as affected by the vulnerability. + + # Notes and Limitations + + * This VEX document is **experimental** and provided **as-is**. + The semantics of this document may change in the future. + * The **absence** of a vulnerability entry does **not** indicate that Text is unaffected. + * If a version of Text is not listed under the `affects` section of a vulnerability, that version may still be affected or not. + * Only the **latest major version** of Text is currently assessed for vulnerabilities. + * The `analysis` field in the VEX file uses **Markdown** formatting. + </text> + </annotation> + </annotations> +</bom>
