ppkarwasz commented on PR #153: URL: https://github.com/apache/solr-site/pull/153#issuecomment-4645755644
@epugh: go ahead and improve this PR. There is one part of the PR that can be simplified: the `yaml_front_matter` extension should be replaced with the [`yaml-metadata`](https://github.com/pelican-plugins/yaml-metadata) external extension, so we don't have to maintain it. Regarding the generation of VEX file, this should absolutely be done by an agent. PR #163 is sooo last year… These days we should probably have a workflow that: 1. Downloads the source code of all dependencies on the path Solr -> vulnerability. This is still not a trivial task (the `<scm>` metadata in the POMs is often incorrect), but we have a small manually validated database in [`callgraph-metadata`](https://github.com/vex-generation-toolset/callgraph-metadata). Later on we could replace it with something better: AboutCode and OSS Review Toolkit each have their own way to find the source code. 2. The callgraph metadata can be used to generate reachable paths like in vex-generation-toolset/solr-site#1. 3. Everything could be fed to an agent to validate each path and determine, when it is exploitable. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
