PR
https://github.com/apache/jena/pull/710
This addresses CVE-2019-17571 except for jena-jdbc which still uses
depends on log4j1.
But Jena no longer ships log4j1 so I propose we can mark the security
alert (only PMC members can see the GH securty alerts) as "risk is
tolerable" (the relevant part of log4j1 is the socket server which Jena
itself has not used) and have a ticket about jena-jdbc even if after
discussion it is "no action" (Rob? OK?)
I've just had an Eclipse update and it is now showing many compiler
warning, all of which are easy automatic fixes (Eclipse fixed a
situation that was holding up reporting all warnings).
A follow-up PR:
https://github.com/apache/jena/pull/711
General information:
I'm also working with Java 14-ea, as well as Java8, and details of
networking exceptions have changed which cause some output and some
change in behaviour in a side project - now fixed so Jena conforms and
with effect on a Java8 build/runtime.
Current build state:
1/ jena-text-es tests have a lot of output.
2/ The Shiro jars have overlapping classes which provokes shading errors
and also errors when running the Fuseki war file with jetty-runner (and
maybe other setups). But to get a fixed Shiro (there was a CVE) we need
this version.
3/ A batch of
"""
Warning: Nashorn engine is planned to be removed from a future JDK release
"""
4/ Some other warnings - nothing worrying.
Andy
