From 1da54bbcdc7ec45741e719f695eeaf1d419aa2d9 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <piotr@github.copernik.eu>
Date: Tue, 29 Jul 2025 15:48:12 +0200
Subject: [PATCH 1/3] feat: Add experimental CycloneDX VEX file

This commit introduces an experimental CycloneDX VEX document that:

* Provides an analysis of CVE-2025-48924 as it pertains to this library.
* Is committed to the **Git repository only** (not published to the website), allowing it to be retrieved via `raw.githubusercontent.com`.

This VEX file is intended to support consumers in evaluating the exploitability of known vulnerabilities in Apache Commons BCEL.
---
 src/cyclonedx/README.md         |  61 +++++++++++++++++
 src/cyclonedx/VEX.cyclonedx.xml | 116 ++++++++++++++++++++++++++++++++
 2 files changed, 177 insertions(+)
 create mode 100644 src/cyclonedx/README.md
 create mode 100644 src/cyclonedx/VEX.cyclonedx.xml

diff --git a/src/cyclonedx/README.md b/src/cyclonedx/README.md
new file mode 100644
index 0000000000..efd47e4054
--- /dev/null
+++ b/src/cyclonedx/README.md
@@ -0,0 +1,61 @@
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to you under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+# CycloneDX Documents for Apache Commons BCEL
+
+The Apache Commons BCEL project publishes multiple [CycloneDX](https://cyclonedx.org/) documents to help consumers assess the security of their applications using this library:
+
+## SBOM (Software Bill of Materials)
+
+Beginning with version `6.6.0`, Apache Commons BCEL publishes SBOMs in both **XML** and **JSON** formats to Maven Central. These documents describe all components and dependencies of the library, following standard Maven coordinates:
+
+* **Group ID:** `org.apache.bcel`
+* **Artifact ID:** `bcel`
+* **Classifier:** `cyclonedx`
+* **Type:** `xml` or `json`
+
+Each SBOM lists the library’s required and optional dependencies, helping consumers analyze the software supply chain and manage dependency risk.
+
+> [!NOTE]
+> The versions listed in the SBOM reflect the dependencies used during the build and test process for that specific release of BCEL.
+> Your own project may use different versions depending on your dependency management configuration.
+
+## VEX (Vulnerability Exploitability eXchange)
+
+An experimental [VEX](https://cyclonedx.org/capabilities/vex/) document is also published:
+
+👉 [`https://raw.githubusercontent.com/apache/commons-bcel/refs/heads/master/src/cyclonedx/VEX.cyclonedx.xml`](VEX.cyclonedx.xml)
+
+This document provides information about the **exploitability of known vulnerabilities** in the **dependencies** of Apache Commons BCEL.
+
+### When is a dependency vulnerability exploitable?
+
+Because Apache Commons libraries (including BCEL) do **not** bundle their dependencies, a vulnerability in a dependency is only exploitable if **both** of the following conditions are true:
+
+1. The vulnerable dependency is included in the consuming project.
+2. Apache Commons BCEL is explicitly listed as affected by the vulnerability.
+
+### Notes and Limitations
+
+* This VEX document is **experimental** and provided **as-is**.
+  The semantics of this document may change in the future.
+* The **absence** of a vulnerability entry does **not** indicate that BCEL is unaffected.
+* If a version of BCEL is not listed under the `affects` section of a vulnerability, that version may still be affected or not.
+* Only the **latest major version** of BCEL is currently assessed for vulnerabilities.
+* The `analysis` field in the VEX file uses **Markdown** formatting.
+
+For more information about CycloneDX, SBOMs, or VEX, visit [cyclonedx.org](https://cyclonedx.org/).
diff --git a/src/cyclonedx/VEX.cyclonedx.xml b/src/cyclonedx/VEX.cyclonedx.xml
new file mode 100644
index 0000000000..06b67bb30c
--- /dev/null
+++ b/src/cyclonedx/VEX.cyclonedx.xml
@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to you under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<!--
+  To update this document:
+    1. Increment the `version` attribute in the <bom> element.
+    2. Update the `timestamp` in the <metadata> section.
+-->
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6"
+     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+     xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6 https://cyclonedx.org/schema/bom-1.6.xsd"
+     serialNumber="urn:uuid:f70dec29-fc7d-41f2-8c60-97e9075e0e73"
+     version="1">
+
+  <metadata>
+    <timestamp>2025-07-29T12:26:42Z</timestamp>
+    <component type="library" bom-ref="main_component">
+      <group>org.apache.bcel</group>
+      <name>bcel</name>
+      <cpe>cpe:2.3:a:apache:commons_bcel:*:*:*:*:*:*:*:*</cpe>
+      <purl>pkg:maven/org.apache.bcel/bcel?type=jar</purl>
+    </component>
+    <manufacturer>
+      <name>The Apache Software Foundation</name>
+      <url>https://commons.apache.org</url>
+      <contact>
+        <name>Apache Commons PMC</name>
+        <email>dev@commons.apache.org</email>
+      </contact>
+      <contact>
+        <name>Apache Commons Security Team</name>
+        <email>security@commons.apache.org</email>
+      </contact>
+    </manufacturer>
+  </metadata>
+
+  <vulnerabilities>
+    <vulnerability>
+      <id>CVE-2025-48924</id>
+      <references>
+        <reference>
+          <id>GHSA-j288-q9x7-2f5v</id>
+          <source>
+            <url>https://github.com/advisories/GHSA-j288-q9x7-2f5v</url>
+          </source>
+        </reference>
+      </references>
+      <analysis>
+        <state>not_affected</state>
+        <justification>code_not_reachable</justification>
+        <detail>
+          Apache Commons BCEL is *not* affected by CVE-2025-48924 because the vulnerable method `ClassUtils.getClass()`
+          is not used in the Apache Commons BCEL codebase nor any of its runtime dependencies.
+        </detail>
+        <firstIssued>2025-07-29T12:26:42Z</firstIssued>
+        <lastUpdated>2025-07-29T12:26:42Z</lastUpdated>
+      </analysis>
+      <affects>
+        <target>
+          <ref>main_component</ref>
+          <versions>
+            <version>
+              <range><![CDATA[vers:maven/>=6.0|<7]]></range>
+              <status>unaffected</status>
+            </version>
+          </versions>
+        </target>
+      </affects>
+    </vulnerability>
+  </vulnerabilities>
+
+  <annotations>
+    <annotation>
+      <annotator>
+        <individual>
+          <name>Apache Commons PMC</name>
+          <email>dev@commons.apache.org</email>
+        </individual>
+      </annotator>
+      <timestamp>2025-07-29T12:26:42Z</timestamp>
+      <text>
+        This document provides information about the **exploitability of known vulnerabilities** in the **dependencies** of Apache Commons BCEL.
+
+        # When is a dependency vulnerability exploitable?
+
+        Because Apache Commons libraries do **not** bundle their dependencies, a vulnerability in a dependency is only exploitable if **both** of the following conditions are true:
+
+        1. The vulnerable dependency is included in the consuming project.
+        2. Apache Commons BCEL is explicitly listed as affected by the vulnerability.
+
+        # Notes and Limitations
+
+        * This VEX document is **experimental** and provided **as-is**.
+          The semantics of this document may change in the future.
+        * The **absence** of a vulnerability entry does **not** indicate that BCEL is unaffected.
+        * If a version of BCEL is not listed under the `affects` section of a vulnerability, that version may still be affected or not.
+        * Only the **latest major version** of BCEL is currently assessed for vulnerabilities.
+        * The `analysis` field in the VEX file uses **Markdown** formatting.
+      </text>
+    </annotation>
+  </annotations>
+</bom>
\ No newline at end of file

From b56ccbde0304d3f5c3cd13939b7089405aecb13c Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Tue, 29 Jul 2025 16:25:32 +0200
Subject: [PATCH 2/3] fix: Address review suggestions

---
 src/{cyclonedx => conf/security}/README.md         | 0
 src/{cyclonedx => conf/security}/VEX.cyclonedx.xml | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename src/{cyclonedx => conf/security}/README.md (100%)
 rename src/{cyclonedx => conf/security}/VEX.cyclonedx.xml (100%)

diff --git a/src/cyclonedx/README.md b/src/conf/security/README.md
similarity index 100%
rename from src/cyclonedx/README.md
rename to src/conf/security/README.md
diff --git a/src/cyclonedx/VEX.cyclonedx.xml b/src/conf/security/VEX.cyclonedx.xml
similarity index 100%
rename from src/cyclonedx/VEX.cyclonedx.xml
rename to src/conf/security/VEX.cyclonedx.xml

From c4a31c0d371984d147e5b2d6f5fa2ecc74de4711 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Tue, 29 Jul 2025 16:27:09 +0200
Subject: [PATCH 3/3] fix: Link in readme file

---
 src/conf/security/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/conf/security/README.md b/src/conf/security/README.md
index efd47e4054..847f4ccc81 100644
--- a/src/conf/security/README.md
+++ b/src/conf/security/README.md
@@ -38,7 +38,7 @@ Each SBOM lists the library’s required and optional dependencies, helping cons
 
 An experimental [VEX](https://cyclonedx.org/capabilities/vex/) document is also published:
 
-👉 [`https://raw.githubusercontent.com/apache/commons-bcel/refs/heads/master/src/cyclonedx/VEX.cyclonedx.xml`](VEX.cyclonedx.xml)
+👉 [`https://raw.githubusercontent.com/apache/commons-bcel/refs/heads/master/src/conf/security/VEX.cyclonedx.xml`](VEX.cyclonedx.xml)
 
 This document provides information about the **exploitability of known vulnerabilities** in the **dependencies** of Apache Commons BCEL.