{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://stellaops.example/vex/2025-12-13/CVE-2021-44228-affected",
  "author": "StellaOps Policy Engine",
  "role": "automated-scanner",
  "timestamp": "2025-12-13T10:00:00Z",
  "version": 1,
  "tooling": "StellaOps/1.0.0",
  "statements": [
    {
      "vulnerability": {
        "@id": "CVE-2021-44228",
        "name": "CVE-2021-44228",
        "description": "Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints."
      },
      "products": [
        {
          "@id": "pkg:oci/myapp@sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
          "identifiers": {
            "purl": "pkg:oci/myapp@sha256:abc123def456789012345678901234567890123456789012345678901234abcd"
          },
          "subcomponents": [
            {
              "@id": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
              "identifiers": {
                "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1"
              }
            }
          ]
        }
      ],
      "status": "affected",
      "justification": "vulnerable_code_in_container",
      "impact_statement": "Vulnerable Log4j error() method is reachable from main entry point via processRequest(). Runtime probes confirm 47 invocations observed.",
      "action_statement": "Upgrade to log4j 2.17.1 or later. As a workaround, set log4j2.formatMsgNoLookups=true.",
      "stellaops:reachability": {
        "state": "CR",
        "state_description": "ConfirmedReachable",
        "confidence": 0.92,
        "graph_hash": "blake3:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
        "graph_cas_uri": "cas://reachability/graphs/a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
        "dsse_uri": "cas://reachability/graphs/a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2.dsse",
        "path": [
          {
            "symbol_id": "sym:java:bWFpbi0xMjM0NTY3ODkwYWJjZGVm",
            "code_id": "code:java:Y29kZS1tYWluLTEyMzQ1Njc4OTBhYmM",
            "display": "com.example.app.Main.main(String[])",
            "purl": "pkg:maven/com.example/app@1.0.0"
          },
          {
            "symbol_id": "sym:java:cHJvY2Vzc1JlcXVlc3QtYWJjZGVm",
            "code_id": "code:java:Y29kZS1wcm9jZXNzLWFiY2RlZjEy",
            "display": "com.example.app.RequestHandler.processRequest(HttpRequest)",
            "purl": "pkg:maven/com.example/app@1.0.0"
          },
          {
            "symbol_id": "sym:java:bG9nRXJyb3ItMTIzNDU2Nzg5MGFiY2Q",
            "code_id": "code:java:Y29kZS1sb2ctMTIzNDU2Nzg5MGFiY2Q",
            "display": "org.apache.logging.log4j.Logger.error(String, Object...)",
            "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1"
          }
        ],
        "path_length": 3,
        "evidence": {
          "static": {
            "graph_hash": "blake3:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
            "path_length": 3,
            "confidence": 0.92
          },
          "runtime": {
            "probe_id": "probe:jfr:scan-123-001",
            "hit_count": 47,
            "observed_at": "2025-12-13T09:45:00Z",
            "observation_window": "24h"
          }
        },
        "fact_digest": "sha256:e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6",
        "fact_version": 3,
        "analyzer": {
          "name": "scanner.java",
          "version": "1.2.0"
        }
      }
    }
  ]
}