I'm grateful for those involved in this initiative.  I've spent time being
responsible for remediating **non-exploitable** vulnerabilities, which is a
waste of time plaguing our industry.

~ David

On Thu, Jul 10, 2025 at 9:08 AM Piotr P. Karwasz <pi...@mailing.copernik.eu>
wrote:

> Hi all,
>
> I'm happy to share that the VEX initiative I previously discussed with
> the PMC on `private@solr` ([1], [2]) has now been approved. Over the
> next six months, we'll be working to bring this initiative to life.
>
> Our goal is to make Vulnerability Exploitability eXchange (VEX) files a
> practical reality in the open source ecosystem, starting within the
> Apache Software Foundation.
>
> ### Why VEX?
>
> As many of you know, the upcoming **Cyber Resilience Act** will require
> that:
>
> > Products with digital elements shall:
> > (a) be made available on the market without known exploitable
> vulnerabilities;
>
> For Solr integrators, simply publishing a Software Bill of Materials
> (SBOM) is not enough. While SBOMs list all upstream dependencies and can
> demonstrate the absence of known vulnerabilities at a specific point in
> time, they rarely remain clean for long. In practice, maintaining a
> vulnerability-free SBOM could require unscheduled Solr releases every
> month or two—diverting valuable volunteer time that could be better
> spent elsewhere.
>
> A more viable alternative is for Solr to demonstrate that it is free of
> **exploitable** vulnerabilities. That’s where VEX files come in.
>
> A VEX file (such as the one Arnout and Jason maintain[3]) allows us to
> assert that while a known vulnerability may exist in a dependency, it is
> not actually exploitable in Solr. This means:
>
> * No emergency patch release is necessary.
> * The issue can be resolved in the next scheduled release.
> * Solr integrators remains compliant with future regulatory requirements.
> * Solr retains its reputation as a secure, production-ready solution for
> commercial users.
>
> ### The Challenge
>
> Unfortunately, creating and maintaining VEX files manually is difficult
> and time-consuming. Determining whether a vulnerability is truly
> exploitable often requires:
>
> * Identifying the exact method or code path involved.
> * Tracing through multiple layers of dependencies.
> * Ensuring reachability and exploitability conditions are met.
>
> In some cases, the effort may be comparable to that of cutting a patch
> release.
>
> Our initiative aims to **automate** and **streamline** this process,
> making VEX generation more efficient and reliable for Solr. If time
> permits, we also hope to extend support to other ASF applications used
> within Solr, such as Kafka, Hadoop, and ZooKeeper.
>
> ### Main goals
>
> Our initiative will develop a set of open source tools, licensed under
> the Apache-2.0 License, and published under the vex-generation-toolset
> GitHub organization[4]. These tools aim to support VEX generation for
> Solr and potentially other ASF projects. The planned components include:
>
> 1.  Java Call Graph Generator – An open source tool derived from
> OpenRefactory’s commercial solution to analyze code structure and
> generate call graphs.
>
> 2.  Vulnerability-to-Source Mapper – An AI-assisted tool that identifies
> the specific class or method responsible for a vulnerability, even when
> that detail is missing from the CVE description.
>
> 3.  Reachability Analysis Tool – A component that maps out the call
> paths from Solr to the vulnerable code and stores the results in a
> format to be defined.
>
> 4.  VEX Report Generator – A tool that integrates the above components
> and produces a report to assist Solr maintainers in drafting accurate
> VEX statements.
>
> These tools will be developed by OpenRefactory, but suggestions are
> welcome.
>
> On my end, I will focus on integrating this tooling into ASF
> infrastructure generally, and Solr’s project automation specifically. As
> some of you know, over the past year we’ve fully automated the release
> process for Apache Log4j [5], making it one of the few ASF projects
> approved for CI-based releases.
>
> With your collaboration, I’d like to bring similar automation to
> Solr—especially around vulnerability management in third-party
> dependencies—but we don't have to stop there.
>
> Since this is an experimental initiative, some details are still in
> flux. However, I’m confident we can refine them as we move forward and
> arrive at a solution tailored for Solr that’s reusable by other open
> source projects as well. I’ll start by gathering your input here on the
> mailing list, and for more security-policy-oriented discussions, on
> `security-discuss@a.o`.
>
> Feel free to reach out to me on ASF Slack with any ideas, questions, or
> requests.
>
> Best regards,
> Piotr
>
> [1] https://lists.apache.org/thread/d0p3rgwf7mhltg2sxxmjz9s15clqffjf
> [2] https://lists.apache.org/thread/1hypz5obxf22zc7tnhv668cyvpw799v2
> [3] https://github.com/apache/solr-site/blob/main/vex-input.json
> [4] https://github.com/vex-generation-toolset
> [5]
> https://logging.apache.org/logging-parent/release-instructions-project.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org
> For additional commands, e-mail: dev-h...@solr.apache.org
>
>

Reply via email to