Hi, Looking at https://jena.apache.org/security/advisories.html both recent CVEs refer to Jena Fuseki:
- CVE-2025-50151 affects Jena Fuseki in versions up to 5.4.0. - CVE-2025-49656 affects Jena Fuseki in versions up to 5.4.0. The GitHub Advisory DB for the latter (https://github.com/advisories/GHSA-jq2c-m8gg-mqcm) references org.apache.jena:jena-fuseki as the impacted package. However for the first CVE it references (https://github.com/advisories/GHSA-xg9p-p463-3qjp) org.apache.jena:jena. This is leading to tools like Trivy finding no vulnerability in jena-core, as the advisory is only matched against the Jena jar. I'm not sure if it should match against only jena-fuseki or all Jena jars. Please review what are the impacted packages are for both CVEs. Thanks, Colm.
