Hi Andy, The question I have is that if our application has a list of jars like:
jena-base-4.2.0.jar, jena-core-4.2.0.jar, jena-iri-4.2.0.jar, etc. Should they be flagged or not against either of these two CVEs? Which specific packages should the CVEs be updated with, so that only the impacted jars are flagged by CVE scans? Colm. On 2025/12/17 21:50:41 Andy Seaborne wrote: > > > On 17/12/2025 16:29, Colm O hEigeartaigh wrote: > > Hi Andy, > > > > I believe for https://github.com/advisories/GHSA-jq2c-m8gg-mqcm it was able > > to determine the impacted maven packages by looking at the fixes in > > https://github.com/apache/jena/commit/03c5265910aa3a27907bf54f6b4aaae3409afa4f. > > It didn't look hard enough. > > The fix is in two places. The other is that commit's parent. > (two classes of the same name, different packages) > > There were two code lines at that version. old world/new world migration. > > Problem 1: > This does not explain jena-fuseki which is a not a jar file. It is the > common maven parent but it does not contain any code and it's not a > runtime dependence. packing=pom. > > > For https://github.com/advisories/GHSA-xg9p-p463-3qjp if you can clarify > > what are the impacted packages I will open a Pr to GitHub to update the > > package information. Were the fixes limited to one or more maven modules? > > The delivery of Fuseki is also involved. > > Old world code: > > org.apache.jena.jena-fuseki-webapp -- binary jar file and sources.jar > org.apache.jena.jena-fuseki-war -- a war file. > org.apache.jena.jena-fuseki-fulljar -- a shaded jar - not in 5.5.0 > > Current world code: > org.apache.jena.jena-fuseki-main -- binary jar file and sources.jar > org.apache.jena.jena-fuseki-server -- a shaded jar file, > different to the one above. > apache-jena-fuseki - a zip/tar.gz file > > And the source-release > org.apache.jena.jena > > Problem 2: > NB being shaded jars, the uploaded POM does not refer to the dependencies. > > Still don't know where jena-core comes into it. > > Andy > > CVE-2025-49656 was reported to the project. > CVE-2025-50151 was discovered by the project. > > > > > Colm. > > > > On 2025/12/17 15:34:23 Andy Seaborne wrote: > >> Colm, > >> > >> I don't know where github gets the package information. It's not in the > >> CVE. > >> > >> Do you know how the github advisories are produced? > >> > >> As maven artifacts: > >> > >> org.apache.jena:jena is the source release. > >> > >> org.apache.jena:jena-fuseki is the parent POM for Fuseki. > >> > >> Not sure where jena-core comes in. The issues are not in jena-core. > >> jena-core is just one jar that makes up a release. jena-core on its own > >> doesn't do much and it's RDF readers are just enough to make the tests > >> work. > >> > >> The project makes one release per version with all the binaries - the > >> source release includes source for everything. No distinction between > >> library use or a Fuseki server. > >> > >> Both CVEs are related to Fuseki functionality but running a mixture of > >> jars from different versions is not supported nor tested. > >> > >> org.apache.jena:apache-jena-libs is the POM that brings in the jars for > >> general library use. > >> > >> org.apache.jena:apache-jena-fuseki is the usual Fuseki download zip. > >> > >> org.apache.jena:jena-fuseki-server is the shaded jar. > >> > >> Andy > >> > >> On 17/12/2025 12:09, Colm O hEigeartaigh wrote: > >>> Hi, > >>> > >>> Looking at https://jena.apache.org/security/advisories.html both recent > >>> CVEs refer to Jena Fuseki: > >>> > >>> - CVE-2025-50151 affects Jena Fuseki in versions up to 5.4.0. > >>> - CVE-2025-49656 affects Jena Fuseki in versions up to 5.4.0. > >>> > >>> The GitHub Advisory DB for the latter > >>> (https://github.com/advisories/GHSA-jq2c-m8gg-mqcm) references > >>> org.apache.jena:jena-fuseki as the impacted package. However for the > >>> first CVE it references > >>> (https://github.com/advisories/GHSA-xg9p-p463-3qjp) org.apache.jena:jena. > >>> > >>> This is leading to tools like Trivy finding no vulnerability in > >>> jena-core, as the advisory is only matched against the Jena jar. I'm not > >>> sure if it should match against only jena-fuseki or all Jena jars. > >>> > >>> Please review what are the impacted packages are for both CVEs. > >>> > >>> Thanks, > >>> > >>> Colm. > >>> > >> > >> > >
