Skip to content

Proofread CVE fix versions in vdr.xml #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ppkarwasz merged 7 commits into from
Aug 22, 2025
Merged

Proofread CVE fix versions in vdr.xml #7

ppkarwasz merged 7 commits into from
Aug 22, 2025

Conversation

@ppkarwasz
Copy link
Contributor

@ppkarwasz ppkarwasz commented Jan 27, 2025

This is the vdr.xml equivalent of the changes introduced in #6. Therefore, it requires #6 to be merged first.

vy
vy reviewed Jan 28, 2025
View reviewed changes
Copy link
Member

@vy vy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the purpose of latest.xml, easy diff'ing?

@ppkarwasz
Copy link
Contributor Author

ppkarwasz commented Jan 28, 2025

What is the purpose of latest.xml, easy diff'ing?

Exactly, the way we currently do it (new document at each update), you need to checkout the commit to see the differences.

@vy
Copy link
Member

vy commented Jan 29, 2025

@ppkarwasz, since version 2 was incorrectly bumped, can we override 2.xml instead of creating a new file and version?

@ppkarwasz ppkarwasz marked this pull request as ready for review August 17, 2025 11:43
@ppkarwasz
feat: remove old BOM Exchange API links
db97f11 
- Removed URL references related to the abandoned
  [BOM Exchange API proposal](https://github.com/CycloneDX/transparency-exchange-api/tree/bomexchangeapi),
  which was never accepted.
- Our SBOMs have always only referenced `/cyclonedx/vdr.xml`,
  so these links were unused and unnecessary.

This cleanup simplifies the website structure and ensures we can take fuller advantage of version control.
@ppkarwasz
feat: move 1.xml to vdr.xml
f9e0b69 
- Restores version 1 of the VDR as `vdr.xml`, reverting
  the complex structure introduced in commit
  620e96c.
- This commit can be tagged as `vdr-1` for reference.
@ppkarwasz
feat: move 2.xml to vdr.xml
1e41d5b 
- Restores version 2 of the VDR as `vdr.xml`, making it easier
  to compare changes against version 1.
- This commit can be tagged as `vdr-2` for future reference.
@ppkarwasz
feat: proofread CVE fix versions in vdr.xml
5296e96 
- Updated `vdr.xml` to align with the proofread versioning details
  from PR #7.
- Introduced a `<metadata>` element to record contact information
  for the Apache Logging Services PMC and Security Team, as well as
  the timestamp of the last modification.
- Refreshed the `<updated>` timestamps in all modified `<vulnerability>` entries.
- Added inline comment with instructions on how to properly
  update and maintain the VDR file.
@ppkarwasz ppkarwasz force-pushed the doc/cyclonedx-vulnerability branch from e0c49f7 to 5296e96 Compare August 17, 2025 12:33
@ppkarwasz
Copy link
Contributor Author

ppkarwasz commented Aug 17, 2025

Hi @vy,

I rebased this PR on top of the changes from #12, which simplified the VDR structure by removing the obsolete BOM Exchange API directory.

That should make verification easier: you only need to review commit 5296e96.

On versioning: I think we should release version 3, even though bumping to 2 in #2 was a mistake (since it only changed comments). Some (even if purely theoretical) consumers may already have recorded 2 as the latest VDR version, and re-issuing a different 2 would prevent them from picking up updates.

@ppkarwasz ppkarwasz requested a review from vy August 17, 2025 12:40
vy
vy approved these changes Aug 18, 2025
View reviewed changes
@ppkarwasz
fix: update contact information
79d4533 
Update the contact information based on review feedback.
@ppkarwasz
Merge remote-tracking branch 'apache/cyclonedx' into doc/cyclonedx-vu…
7b0ac28 
…lnerability
@ppkarwasz ppkarwasz merged commit e9ccda8 into cyclonedx Aug 22, 2025
ppkarwasz added a commit that referenced this pull request Aug 22, 2025
@ppkarwasz
Proofread CVE fix versions in vdr.xml (#7)
75a3be2 
* feat: proofread CVE fix versions in `vdr.xml`

- Updated `vdr.xml` to align with the proofread versioning details
  from PR #7.
- Introduced a `<metadata>` element to record contact information
  for the Apache Logging Services PMC and Security Team, as well as
  the timestamp of the last modification.
- Refreshed the `<updated>` timestamps in all modified `<vulnerability>` entries.
- Added inline comment with instructions on how to properly
  update and maintain the VDR file.

* fix: restore original update date for CVE-2021-45105

* fix: update contact information

Update the contact information based on review feedback.
ppkarwasz added a commit that referenced this pull request Aug 22, 2025
@ppkarwasz
Proofread CVE fix versions in vdr.xml (#7)
c5fca4e 
* feat: proofread CVE fix versions in `vdr.xml`

- Updated `vdr.xml` to align with the proofread versioning details
  from PR #7.
- Introduced a `<metadata>` element to record contact information
  for the Apache Logging Services PMC and Security Team, as well as
  the timestamp of the last modification.
- Refreshed the `<updated>` timestamps in all modified `<vulnerability>` entries.
- Added inline comment with instructions on how to properly
  update and maintain the VDR file.

* fix: restore original update date for CVE-2021-45105

* fix: update contact information

Update the contact information based on review feedback.
@vy vy deleted the doc/cyclonedx-vulnerability branch December 30, 2025 20:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vy vy vy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ppkarwasz @vy