Hi Andy, I believe for https://github.com/advisories/GHSA-jq2c-m8gg-mqcm it was able to determine the impacted maven packages by looking at the fixes in https://github.com/apache/jena/commit/03c5265910aa3a27907bf54f6b4aaae3409afa4f.
For https://github.com/advisories/GHSA-xg9p-p463-3qjp if you can clarify what are the impacted packages I will open a Pr to GitHub to update the package information. Were the fixes limited to one or more maven modules? Colm. On 2025/12/17 15:34:23 Andy Seaborne wrote: > Colm, > > I don't know where github gets the package information. It's not in the CVE. > > Do you know how the github advisories are produced? > > As maven artifacts: > > org.apache.jena:jena is the source release. > > org.apache.jena:jena-fuseki is the parent POM for Fuseki. > > Not sure where jena-core comes in. The issues are not in jena-core. > jena-core is just one jar that makes up a release. jena-core on its own > doesn't do much and it's RDF readers are just enough to make the tests work. > > The project makes one release per version with all the binaries - the > source release includes source for everything. No distinction between > library use or a Fuseki server. > > Both CVEs are related to Fuseki functionality but running a mixture of > jars from different versions is not supported nor tested. > > org.apache.jena:apache-jena-libs is the POM that brings in the jars for > general library use. > > org.apache.jena:apache-jena-fuseki is the usual Fuseki download zip. > > org.apache.jena:jena-fuseki-server is the shaded jar. > > Andy > > On 17/12/2025 12:09, Colm O hEigeartaigh wrote: > > Hi, > > > > Looking at https://jena.apache.org/security/advisories.html both recent > > CVEs refer to Jena Fuseki: > > > > - CVE-2025-50151 affects Jena Fuseki in versions up to 5.4.0. > > - CVE-2025-49656 affects Jena Fuseki in versions up to 5.4.0. > > > > The GitHub Advisory DB for the latter > > (https://github.com/advisories/GHSA-jq2c-m8gg-mqcm) references > > org.apache.jena:jena-fuseki as the impacted package. However for the first > > CVE it references (https://github.com/advisories/GHSA-xg9p-p463-3qjp) > > org.apache.jena:jena. > > > > This is leading to tools like Trivy finding no vulnerability in jena-core, > > as the advisory is only matched against the Jena jar. I'm not sure if it > > should match against only jena-fuseki or all Jena jars. > > > > Please review what are the impacted packages are for both CVEs. > > > > Thanks, > > > > Colm. > > > >
