fix: Add required action_statement field

ppkarwasz · ppkarwasz · commit 0ddf5e12211d · 2025-07-31T14:12:28.000+02:00
diff --git a/src/conf/security/VEX.cyclonedx.xml b/src/conf/security/VEX.cyclonedx.xml
@@ -64,6 +64,10 @@
           </source>
         </reference>
       </references>
+      <recommendation>
+Check if untrusted user input is passed to the `StringSubstitutor` or `StringLookup` classes,
+and if so, upgrade to Apache Commons Lang 3.18.0 or later.
+      </recommendation>
       <analysis>
         <state>exploitable</state>
         <responses>
diff --git a/src/conf/security/generate_openvex.py b/src/conf/security/generate_openvex.py
@@ -121,6 +121,13 @@ def to_openvex_statement(vuln: ET.Element, product: dict) -> dict:
     if detail:
         statement['status_notes'] = detail
 
+    remediation = _find_stripped_text(vuln, 'b:recommendation')
+    if remediation:
+        statement['action_statement'] = remediation
+    else:
+        if statement['status'] == 'affected':
+            raise ValueError("Affected vulnerabilities must have a <recommendation> element")
+
     _add_optional_date(analysis, 'b:firstIssued', statement, 'timestamp')
     _add_optional_date(analysis, 'b:lastUpdated', statement, 'last_updated')
 
diff --git a/src/conf/security/openvex.json b/src/conf/security/openvex.json
@@ -25,6 +25,7 @@
       },
       "status": "affected",
       "status_notes": "CVE-2025-48924 is exploitable in Apache Commons Text versions 1.5 and later, but only when all the following conditions are met:\n\n* The consuming project includes a vulnerable version of Commons Text on the classpath.\n  As of version `1.14.1`, Commons Text no longer references a vulnerable version of the `commons-lang3` library in its POM file.\n* Unvalidated or unsanitized user input is passed to the `StringSubstitutor` or `StringLookup` classes.\n* An interpolator lookup created via `StringLookupFactory.interpolatorLookup()` is used.\n\nIf these conditions are satisfied, an attacker may cause an infinite loop by submitting a specially crafted input such as `${const:...}`.",
+      "action_statement": "Check if untrusted user input is passed to the `StringSubstitutor` or `StringLookup` classes,\nand if so, upgrade to Apache Commons Lang 3.18.0 or later.",
       "timestamp": "2025-07-29T12:26:42Z",
       "last_updated": "2025-07-29T12:26:42Z"
     }

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,7 @@`
`25`	`25`	`},`
`26`	`26`	`"status": "affected",`
`27`	`27`	"status_notes": "CVE-2025-48924 is exploitable in Apache Commons Text versions 1.5 and later, but only when all the following conditions are met:\n\n* The consuming project includes a vulnerable version of Commons Text on the classpath.\n As of version `1.14.1`, Commons Text no longer references a vulnerable version of the `commons-lang3` library in its POM file.\n* Unvalidated or unsanitized user input is passed to the `StringSubstitutor` or `StringLookup` classes.\n* An interpolator lookup created via `StringLookupFactory.interpolatorLookup()` is used.\n\nIf these conditions are satisfied, an attacker may cause an infinite loop by submitting a specially crafted input such as `${const:...}`.",
	`28`	+ "action_statement": "Check if untrusted user input is passed to the `StringSubstitutor` or `StringLookup` classes,\nand if so, upgrade to Apache Commons Lang 3.18.0 or later.",
`28`	`29`	`"timestamp": "2025-07-29T12:26:42Z",`
`29`	`30`	`"last_updated": "2025-07-29T12:26:42Z"`
`30`	`31`	`}`