Active Evaluation FINOS Labs This material is provisional and has not been published as a formal FINOS standard.

Examples

These examples are intentionally concise and implementation-oriented. They are meant to help providers publish consistent patch evidence and help enterprise recipients automate ingestion.

See also OSERA Commit Evidence for concrete examples from public finos-osera/backpatch-* repositories and Backpatch Release Tags for the current release-tag inventory.

Backpatch repository shape

github.com/finos-osera/backpatch-spring-framework
  branch: backpatch/5.3.x
  tag: v5.3.39+backpatch.baseline
  release: v5.3.39+backpatch.001

Patch evidence bundle

patch:
  provider: Moderne
  repository: https://github.com/finos-osera/backpatch-spring-framework
  branch: backpatch/5.3.x
  baseline_tag: v5.3.39+backpatch.baseline
  release_version: 5.3.39+backpatch.001
  basis:
    type: upstream-backport
    upstream_commit: https://github.com/spring-projects/spring-framework/commit/example
  compatibility:
    bytecode_source: last-released-artifact
    bytecode_level: 8
  recipient_guidance:
    what_changed:
      - Tightened parsing of affected input path.
      - Added regression coverage for malicious payload handling.
    suggested_test_surface:
      - Applications using the affected parser or endpoint.
      - Integration tests that exercise custom serialization or deserialization.
      - Smoke tests for dependent frameworks that wrap the affected API.

Feed statement sketch

OpenVEX and CycloneDX examples should identify the patched artifact, vulnerability, status, and provenance links. The exact schema should be maintained in feed-specific examples as the working group converges.

OpenVEX-style example

{
  "@context": "https://openvex.dev/ns/v0.2.0",
  "@id": "https://vex.example.org/openvex/example-1.0.0+backpatch.001.json",
  "author": "Example Patch Provider <security@example.org>",
  "timestamp": "2026-07-10T00:00:00Z",
  "version": 1,
  "statements": [
    {
      "vulnerability": {
        "name": "CVE-2026-0001",
        "aliases": ["GHSA-example-example-example"]
      },
      "products": [
        {
          "@id": "pkg:maven/org.example/example-lib@1.0.0%2Bbackpatch.001",
          "identifiers": {
            "purl": "pkg:maven/org.example/example-lib@1.0.0%2Bbackpatch.001"
          },
          "hashes": {
            "sha-256": "..."
          }
        }
      ],
      "status": "fixed",
      "action_statement": "CVE-2026-0001 fixed by backporting the upstream fix onto the 1.0.0 baseline."
    }
  ]
}

CycloneDX-style example

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "vulnerabilities": [
    {
      "id": "CVE-2026-0001",
      "source": {
        "name": "NVD",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0001"
      },
      "analysis": {
        "state": "resolved_with_pedigree",
        "detail": "Fixed by backporting the upstream fix onto the 1.0.0 baseline; see component pedigree."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.example/example-lib@1.0.0%2Bbackpatch.001"
        }
      ]
    }
  ]
}