Hi there, I ran a docker scan on a Fuseki Jena 4.3.2 image which I built with the latest version: https://repo1.maven.org/maven2/org/apache/jena/jena-fuseki-server/4.3.2/
This image still contains log4j vulnerabilities fom version 2.16.0. These are supposed to be fixed in version 2.17.1 I also had to upgrade versions in de Dockerfile for openjdk en alpine to get rid off more vulnerabilities: ARG OPENJDK_VERSION=17 ARG ALPINE_VERSION=3.15.0 1) Is there a way to set the log4j version yourself? 2) Can log4j version 2.17.1 be implemented in Fuseki Jena 4.3.3? Regards, Erik scan.log - - - - - - Testing docker.io/library/fuskeki-local... Tested 58 dependencies for known issues, found 3 issues. Issues with no direct upgrade or patch: ✗ Denial of Service (DoS) [Medium Severity][ https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] in com.fasterxml.jackson.core:jackson-databind@2.13.0 introduced by org.apache.jena:jena-fuseki-server@4.3.2 > com.fasterxml.jackson.core:jackson-databind@2.13.0 This issue was fixed in versions: 2.13.1, 2.12.6 ✗ Denial of Service (DoS) [High Severity][ https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524] in org.apache.logging.log4j:log4j-core@2.16.0 introduced by org.apache.jena:jena-fuseki-server@4.3.2 > org.apache.logging.log4j:log4j-core@2.16.0 This issue was fixed in versions: 2.3.1, 2.12.3, 2.17.0 ✗ Arbitrary Code Execution [Medium Severity][ https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] in org.apache.logging.log4j:log4j-core@2.16.0 introduced by org.apache.jena:jena-fuseki-server@4.3.2 > org.apache.logging.log4j:log4j-core@2.16.0 This issue was fixed in versions: 2.3.2, 2.12.4, 2.17.1
