rvesse commented on issue #3561: URL: https://github.com/apache/jena/issues/3561#issuecomment-3484951605
> (What I don't understand is why the github security scan hasn't notified this situation.) Note that the CVE in question appears to relate to Eclipse Parsson not `jakarta.json` as the ticket title suggests. And the version numbers for Parsson stated in the CVE have no relation to the Jakarta JSON version numbers you are noting here. I guess maybe Parsson was forked from Jakarta JSON and the vulnerable code still exists in Jakarta JSON? Security scanning tools vary in their accuracy and can suffer from both false positives and negatives. It would be useful to have the following information to investigate further: - The `mvn dependency:tree` for your project showing the path to the affected dependency (to verify which dependency is actually affected) - The security scanner results (ideally in a portable format like SARIF JSON) As already noted usually the way downstream consumers of Jena resolve issues like this is to exclude the affected dependencies in their own `pom.xml` (or equivalent) and add explicit dependencies on the newer versions they prefer (assuming those newer versions are compatible) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
