List every VEX file on the CVE Dependencies along with their status#191
Merged
Conversation
Show every VEX entry in security-dependency-cves.html regardless of analysis.state or whether it names vulnerable JARs (previously only non-exploitable, JAR-bearing entries were listed), and render analysis.state as a colored cdx-* tag. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
Author
|
cc @ppkarwasz |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Solr website’s dependency CVE status page to show more VEX-derived information directly in the table, including the assessed state for each entry.
Changes:
- Adjusts the dependency CVE table to iterate over all provided VEX entries (no longer filtering out
exploitable) and renders theanalysis.stateas a styled label. - Updates the page intro text to reflect that the table includes the assessed state.
- Changes the Pelican VEX plugin to expose all parsed VEX entries to the dependency CVE table template.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
themes/solr/templates/security-dependency-cves.html |
Updates copy, expands table iteration, and adds a state label class for VEX analysis state. |
plugins/vex/vex.py |
Changes the VEX context provided to the dependency CVE table to include all VEX entries. |
Comments suppressed due to low confidence (1)
themes/solr/templates/security-dependency-cves.html:39
- Some VEX entries intentionally omit
cve(e.g. catch-all dependency notes like velocity-tools/tika-core), which results inv.idsbeing empty. The table currently renders an empty ID cell in that case; consider rendering an em dash (matching vex.html’s behavior) to avoid blank rows/cells.
{% for id in v.ids %}
{% if id.startswith('CVE') %}<a href="https://nvd.nist.gov/vuln/detail/{{ id }}">{{ id }}</a>{% elif id.startswith('GHSA') %}<a href="https://github.com/advisories/{{ id }}">{{ id }}</a>{% else %}{{ id }}{% endif %}
{%- if not loop.last %}, {% endif %}
{% endfor %}
</td>
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+160
to
+162
| def generator_initialized(generator): | ||
| # The dependency-CVE table (security-dependency-cves.html) lists the entries | ||
| # that name vulnerable JARs; advisory-only entries (no 'jars') are excluded. | ||
| articles = read_vex_articles(generator.settings['PATH']) | ||
| generator.context["vex"] = [a for a in articles if a['jars']] | ||
| # The CVE table (security-dependency-cves.html) lists every VEX entry. | ||
| generator.context["vex"] = read_vex_articles(generator.settings['PATH']) |
… they go in the main security page
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Turns out there are dependencies that have CVE's that are exploitable in Solr according to the VEX standard, that don't have a Solr specific CVE, or show up in that listing.
This changes the table to showing all VEX entries, regardless of state (exploitable or not), and displays that information as a label:
Notice the first two items, they are issues with OpenNLP in Solr 9 branch that I am creating new vex entries for and will open a seperate PR.