janhoy commented on code in PR #168: URL: https://github.com/apache/solr-site/pull/168#discussion_r3060809178
########## content/pages/security-dependency-cves.md: ########## @@ -0,0 +1,24 @@ +Title: Solr™ CVE Status for Dependencies +URL: security-dependency-cves.html +save_as: security-dependency-cves.html +template: security-dependency-cves + +Apache Solr depends on many third-party libraries. Security scanners routinely flag CVEs in +those libraries, but a CVE in a dependency does not automatically mean Solr is vulnerable — +it depends on whether Solr actually exercises the affected code path in a way that can be exploited. + +We publish our assessment of dependency CVEs in a machine-readable +**[VEX (Vulnerability Exploitability eXchange)](https://cyclonedx.org/capabilities/vex/)** file. +VEX is an emerging standard that lets vendors state explicitly whether a CVE applies to their product, Review Comment: ```suggestion VEX is an open standard that lets vendors state explicitly whether a CVE applies to their product, ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
