feat: Add experimental CycloneDX VEX file (#683)

* feat: Add experimental CycloneDX VEX file

This commit introduces an experimental CycloneDX VEX document that:

* Provides an analysis of **CVE-2025-48924** as it pertains to this library.
* Is committed to the **Git repository only** (not published to Maven Central), allowing it to be retrieved via `raw.githubusercontent.com`.

This VEX file is intended to support consumers in evaluating the exploitability of known vulnerabilities in Apache Commons Text.

* fix: Move files and fix copy/paste problems

Moves files as suggested in apache/commons-bcel#446 and fixes copy/paste mistakes.

Author: ppkarwasz

src/conf/security/README.md

@@ -0,0 +1,61 @@
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to you under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+# CycloneDX Documents for Apache Commons Text
+
+The Apache Commons Text project publishes multiple [CycloneDX](https://cyclonedx.org/) documents to help consumers assess the security of their applications using this library:
+
+## SBOM (Software Bill of Materials)
+
+Beginning with version `6.6.0`, Apache Commons Text publishes SBOMs in both **XML** and **JSON** formats to Maven Central. These documents describe all components and dependencies of the library, following standard Maven coordinates:
+
+* **Group ID:** `org.apache.commons`
+* **Artifact ID:** `commons-text`
+* **Classifier:** `cyclonedx`
+* **Type:** `xml` or `json`
+
+Each SBOM lists the library’s required and optional dependencies, helping consumers analyze the software supply chain and manage dependency risk.
+
+> [!NOTE]
+> The versions listed in the SBOM reflect the dependencies used during the build and test process for that specific release of Text.
+> Your own project may use different versions depending on your dependency management configuration.
+
+## VEX (Vulnerability Exploitability eXchange)
+
+An experimental [VEX](https://cyclonedx.org/capabilities/vex/) document is also published:
+
+👉 [`https://raw.githubusercontent.com/apache/commons-text/refs/heads/master/src/conf/security/VEX.cyclonedx.xml`](VEX.cyclonedx.xml)
+
+This document provides information about the **exploitability of known vulnerabilities** in the **dependencies** of Apache Commons Text.
+
+### When is a dependency vulnerability exploitable?
+
+Because Apache Commons libraries (including Text) do **not** bundle their dependencies, a vulnerability in a dependency is only exploitable if **both** of the following conditions are true:
+
+1. The vulnerable dependency is included in the consuming project.
+2. Apache Commons Text is explicitly listed as affected by the vulnerability.
+
+### Notes and Limitations
+
+* This VEX document is **experimental** and provided **as-is**.
+  The semantics of this document may change in the future.
+* The **absence** of a vulnerability entry does **not** indicate that Text is unaffected.
+* If a version of Text is not listed under the `affects` section of a vulnerability, that version may still be affected or not.
+* Only the **latest major version** of Text is currently assessed for vulnerabilities.
+* The `analysis` field in the VEX file uses **Markdown** formatting.
+
+For more information about CycloneDX, SBOMs, or VEX, visit [cyclonedx.org](https://cyclonedx.org/).

src/conf/security/VEX.cyclonedx.xml

@@ -0,0 +1,124 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements.  See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to you under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License.  You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+<!--
+  To update this document:
+    1. Increment the `version` attribute in the <bom> element.
+    2. Update the `timestamp` in the <metadata> section.
+-->
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6"
+     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+     xsi:schemaLocation="http://cyclonedx.org/schema/bom/1.6 https://cyclonedx.org/schema/bom-1.6.xsd"
+     serialNumber="urn:uuid:f70dec29-fc7d-41f2-8c60-97e9075e0e73"
+     version="1">
+
+  <metadata>
+    <timestamp>2025-07-29T12:26:42Z</timestamp>
+    <component type="library" bom-ref="main_component">
+      <group>org.apache.commons</group>
+      <name>commons-text</name>
+      <cpe>cpe:2.3:a:apache:commons_text:*:*:*:*:*:*:*:*</cpe>
+      <purl>pkg:maven/org.apache.commons/commons-text?type=jar</purl>
+    </component>
+    <manufacturer>
+      <name>The Apache Software Foundation</name>
+      <url>https://commons.apache.org</url>
+      <contact>
+        <name>Apache Commons PMC</name>
+        <email>[email protected]</email>
+      </contact>
+      <contact>
+        <name>Apache Commons Security Team</name>
+        <email>[email protected]</email>
+      </contact>
+    </manufacturer>
+  </metadata>
+
+  <vulnerabilities>
+    <vulnerability>
+      <id>CVE-2025-48924</id>
+      <references>
+        <reference>
+          <id>GHSA-j288-q9x7-2f5v</id>
+          <source>
+            <url>https://github.com/advisories/GHSA-j288-q9x7-2f5v</url>
+          </source>
+        </reference>
+      </references>
+      <analysis>
+        <state>exploitable</state>
+        <responses>
+          <response>update</response>
+        </responses>
+        <detail>
+          CVE-2025-48924 is exploitable in Apache Commons Text versions 1.5 and later, but only when all the following conditions are met:
+
+          * The consuming project includes a vulnerable version of Commons Text on the classpath.
+            As of version `1.14.1`, Commons Text no longer references a vulnerable version of the `commons-lang3` library in its POM file.
+          * Unvalidated or unsanitized user input is passed to the `StringSubstitutor` or `StringLookup` classes.
+          * An interpolator lookup created via `StringLookupFactory.interpolatorLookup()` is used.
+
+          If these conditions are satisfied, an attacker may cause an infinite loop by submitting a specially crafted input such as `${const:...}`.
+        </detail>
+        <firstIssued>2025-07-29T12:26:42Z</firstIssued>
+        <lastUpdated>2025-07-29T12:26:42Z</lastUpdated>
+      </analysis>
+      <affects>
+        <target>
+          <ref>main_component</ref>
+          <versions>
+            <version>
+              <range><![CDATA[vers:maven/>=1.5|<2]]></range>
+              <status>affected</status>
+            </version>
+          </versions>
+        </target>
+      </affects>
+    </vulnerability>
+  </vulnerabilities>
+
+  <annotations>
+    <annotation>
+      <annotator>
+        <individual>
+          <name>Apache Commons PMC</name>
+          <email>[email protected]</email>
+        </individual>
+      </annotator>
+      <timestamp>2025-07-29T12:26:42Z</timestamp>
+      <text>
+        This document provides information about the **exploitability of known vulnerabilities** in the **dependencies** of Apache Commons Text.
+
+        # When is a dependency vulnerability exploitable?
+
+        Because Apache Commons libraries do **not** bundle their dependencies, a vulnerability in a dependency is only exploitable if **both** of the following conditions are true:
+
+        1. The vulnerable dependency is included in the consuming project.
+        2. Apache Commons Text is explicitly listed as affected by the vulnerability.
+
+        # Notes and Limitations
+
+        * This VEX document is **experimental** and provided **as-is**.
+          The semantics of this document may change in the future.
+        * The **absence** of a vulnerability entry does **not** indicate that Text is unaffected.
+        * If a version of Text is not listed under the `affects` section of a vulnerability, that version may still be affected or not.
+        * Only the **latest major version** of Text is currently assessed for vulnerabilities.
+        * The `analysis` field in the VEX file uses **Markdown** formatting.
+      </text>
+    </annotation>
+  </annotations>
+</bom>