ppkarwasz opened a new pull request, #153: URL: https://github.com/apache/solr-site/pull/153
This pull request proposes a new design for the Apache Solr security page, as [discussed on `dev@solr`](https://lists.apache.org/thread/o6bgxv996kfrmmy7odf226twsg9bnwbj), and introduces support for richer metadata in vulnerability-related articles. ## Key Changes * **Full YAML front matter support** in Markdown articles * The standard PyMarkdown `MetaExtension` only parses *flat* YAML front matter. * This change introduces `YamlFrontMatterExtension`, which supports complex YAML documents inside front matter. * **Defined YAML structure for vulnerability articles** * Applies to vulnerabilities in Apache Solr itself or in its dependencies. * Contains sufficient information to generate a CycloneDX VEX file. * **Enhanced security page** * Lists vulnerabilities by Solr **minor version** along with their status (`in_triage`, `not_exploitable`, `affected`). * Displays detailed vulnerability articles, with layout variations depending on the type and assessment state. ## Work in progress I am still working on generating CycloneDX documents (VDR and VEX) from the Markdown articles. However, early feedback from the maintainers and the community would be valuable to ensure I am heading in the right direction before completing the implementation. ## Preview ### 1. YAML front matter The YAML front matter of the articles looks like this: ```yaml cve: CVE-2024-51504 jira: SOLR-17809 severity: important category: - solr/vex vulnerable_component: name: zookeeper versions: - introduced: 3.9.0 last_affected: 3.9.2 impacted_component: name: Apache Solr versions: - introduced: 9.4.0 fixed: 9.9.0 analysis: state: not_affected justification: requires_configuration title: "Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server" ``` ### 2. Vulnerabilities Table Lists vulnerabilities by Solr minor version with their current status. <details> <summary>Show screenshot</summary>  </details> ### 3. Vulnerability Articles #### a. Vulnerability in Solr itself <details> <summary>Show screenshot</summary>  </details> #### b. VEX entry in triage <details> <summary>Show screenshot</summary>  </details> #### c. VEX entry assessed <details> <summary>Show screenshot</summary>  </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
