Piotr P. Karawasz, Apache Logging Services
Apache Solr is a high-performance, open-source search platform used in everything from on premises enterprise systems to large-scale online services. With over 400 dependencies, managing security vulnerabilities—especially in third-party libraries—is a constant challenge.
To address this, the Solr project generates machine-readable Vulnerability Exploitability eXchange (VEX) files to help users understand which vulnerabilities are actually exploitable. These VEX files not only inform users but also support more efficient release planning within the Solr project—ensuring that volunteer time isn’t spent on unnecessary releases and users aren’t burdened with avoidable redeployments.
In this talk, we’ll present the “VEX Generation at Scale” initiative, funded by the OpenSSF Alpha-Omega Project, which integrates automated reachability analysis from OpenRefactory to produce machine-assisted VEX data. These are then reviewed by the Apache Solr team, significantly reducing manual effort and accelerating response times.
We’ll also explore real-world outcomes—how past incidents might have been handled differently with this tooling, and how it shapes the Solr ecosystem’s response to any vulnerabilities discovered during the course of the initiative.
Explore the conference agenda
