Copilot commented on code in PR #22: URL: https://github.com/apache/logging-site/pull/22#discussion_r3064644145
########## src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc: ########## @@ -37,7 +334,7 @@ For brevity, mathematical interval notation is used, with the union operator (` |Summary |Missing TLS hostname verification in Socket appender |CVSS 4.x Score & Vector |6.3 MEDIUM (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N) |Components affected |Log4j Core -|Versions affected |`[2.0-beta9, 2.25.3)` +|Versions affected |`[2.0-beta9, 2.25.3) ∪ [3.0.0-alpha1, 3.0.0-beta3]` |Versions fixed |`2.25.3` |=== Review Comment: The `Versions affected` row for CVE-2025-68161 was updated to include Log4j 3.0.0 pre-releases, but the description text below still says the issue affects versions `2.0-beta9` through `2.25.2`. Please update the description to match the new affected range (or make it version-neutral) to avoid publishing contradictory guidance. ########## src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc: ########## @@ -29,6 +29,303 @@ Version ranges follow the https://github.com/package-url/vers-spec/blob/main/VER For brevity, mathematical interval notation is used, with the union operator (`∪`) to represent multiple ranges. ==== +[#CVE-2026-40023] +== {cve-url-prefix}/CVE-2026-40023[CVE-2026-40023] + Review Comment: PR description says this change "adds 8 new CVEs", but the diff appears to add 7 new CVE sections and updates an existing CVE-2025-68161 entry. Consider adjusting the PR description wording/table heading to avoid confusion for reviewers and release notes. ########## src/site/static/cyclonedx/vdr.xml: ########## @@ -40,11 +40,11 @@ <bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns="http://cyclonedx.org/schema/bom/1.6"; xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6 https://cyclonedx.org/schema/bom-1.6.xsd"; - version="5" + version="6" serialNumber="urn:uuid:dfa35519-9734-4259-bba1-3e825cf4be06"> Review Comment: The BOM `version` was incremented, but the `serialNumber` remained unchanged. In CycloneDX, `serialNumber` is intended to uniquely identify a specific BOM instance; reusing it across revisions can confuse consumers that deduplicate/track BOMs by serial. Consider generating a new UUID for `serialNumber` when publishing a new BOM version (or omit `serialNumber` if you don’t want this behavior). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
