vwegert-adesso commented on issue #3561: URL: https://github.com/apache/jena/issues/3561#issuecomment-3496136349
> I guess maybe Parsson was forked from Jakarta JSON and the vulnerable code still exists in Jakarta JSON? That is my current working hypothesis as well. > Security scanning tools vary in their accuracy and can suffer from both false positives and negatives. It would be useful to have the following information to investigate further: We're currently checking what information we can provide. > As already noted usually the way downstream consumers of Jena resolve issues like this is to exclude the affected dependencies in their own `pom.xml` (or equivalent) and add explicit dependencies on the newer versions they prefer (assuming those newer versions are compatible) This is our current approach as well, but I'd say it would be preferable if these kinds of workaround would not be needed in the first place. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
