Add workflows to generate and maintain VEX entries#163
Conversation
This change introduces two GitHub workflows that partially automate the maintenance of the VEX file for Apache Solr by identifying relevant CVEs and assessing their reachability. * **`check_cve`** Scans the components of a given Solr distribution for known CVEs. For each CVE that does not yet have a corresponding VEX entry (and is not already covered by an open PR), the workflow automatically triggers `generate_vex` with the appropriate parameters. * **`generate_vex`** Analyzes the reachability of a specific CVE using metadata from the [`callgraph_metadata`](https://github.com/vex-generation-toolset/callgraph-metadata) repository and determines whether the vulnerability can impact Solr. Together, these workflows reduce the maintenance effort of maintaining the VEX file.
|
I have tested both workflows (specifically in the A few important notes on the current state:
As a result of the above, the Since this would be the first upstream deployment of the tooling, it’s likely that users will encounter bugs or limitations. For example, the reachability analysis run in vex-generation-toolset#2 was not able to detect exploitability for CVE-2025-54988 (PR #162) due to the underlying graph data. Request for feedback:
Happy to iterate on this based on feedback from the community and reviewers. |
dsmiley
left a comment
There was a problem hiding this comment.
Overall I love the direction.
It's not clear to me when these GHA workflows should/need to be run?
I think adopting this requires more/better documentation holistically on VEX and the nature of these files/directories in the website repo. Okay to link elsewhere of course but still.
| required: true | ||
| type: string | ||
| artifact_purl: | ||
| description: 'PURL of the vulnerable artifact' |
There was a problem hiding this comment.
Yes, we need the Package URL of the vulnerable component to find it in the SBOM.
Vulnerability databases (especially GitHub Advisories) should have that information for each CVE, but the quality of those records varies.
|
Hi @dsmiley, Thank you for the feedback. I'll better document the formats used by the various components and link to them from this PR. |
|
Hi.. I'm poking around as I wanted to create a VEX file for the https://nvd.nist.gov/vuln/detail/CVE-2026-42027 vulnerablity in OpenNLP for Solr 9x. I'm wondering if this PR is too ambitious to land. I'd like to see some tooling that I can run locally that lets me learn how to do this. Then maybe once that is merged, then see it be in solr-site. I also think that managing of Vex files is probably something that should be in our |
|
|
Is it possible that #153 has replaced this one? |
|
#153 and this one should be complementary:
|
This change introduces two GitHub workflows that partially automate the maintenance of the VEX file for Apache Solr by identifying relevant CVEs and assessing their reachability.
check_cveScans the components of a given Solr distribution for known CVEs. For each CVE that does not yet have a corresponding VEX entry (and is not already covered by an open PR), the workflow automatically triggersgenerate_vexwith the appropriate parameters.generate_vexAnalyzes the reachability of a specific CVE using metadata from thecallgraph_metadatarepository and determines whether the vulnerability can impact Solr.Together, these workflows reduce the maintenance effort of maintaining the VEX file.