The Apache Commons Text project publishes multiple CycloneDX documents to help consumers assess the security of their applications using this library:
Beginning with version 6.6.0, Apache Commons Text publishes SBOMs in both XML and JSON formats to Maven Central. These documents describe all components and dependencies of the library, following standard Maven coordinates:
- Group ID:
org.apache.commons - Artifact ID:
commons-text - Classifier:
cyclonedx - Type:
xmlorjson
Each SBOM lists the library’s required and optional dependencies, helping consumers analyze the software supply chain and manage dependency risk.
Note
The versions listed in the SBOM reflect the dependencies used during the build and test process for that specific release of Text. Your own project may use different versions depending on your dependency management configuration.
An experimental VEX document is also published:
This document provides information about the exploitability of known vulnerabilities in the dependencies of Apache Commons Text.
Because Apache Commons libraries (including Text) do not bundle their dependencies, a vulnerability in a dependency is only exploitable if both of the following conditions are true:
- The vulnerable dependency is included in the consuming project.
- Apache Commons Text is explicitly listed as affected by the vulnerability.
- This VEX document is experimental and provided as-is. The semantics of this document may change in the future.
- The absence of a vulnerability entry does not indicate that Text is unaffected.
- If a version of Text is not listed under the
affectssection of a vulnerability, that version may still be affected or not. - Only the latest major version of Text is currently assessed for vulnerabilities.
- The
analysisfield in the VEX file uses Markdown formatting.
For more information about CycloneDX, SBOMs, or VEX, visit cyclonedx.org.