You are viewing a plain text version of this content. The canonical link for it is here.
Posted to pr@jena.apache.org by "suguds (via GitHub)" <gi...@apache.org> on 2024/02/01 02:41:13 UTC
[PR] fix(sec): upgrade org.apache.jena:jena-arq to 4.9.0 [jena]
suguds opened a new pull request, #2234:
URL: https://github.com/apache/jena/pull/2234
### What happened?
There are 1 security vulnerabilities found in org.apache.jena:jena-arq 4.8.0
- [CVE-2023-32200](https://www.oscs1024.com/hd/CVE-2023-32200)
### What did I do?
Upgrade org.apache.jena:jena-arq from 4.8.0 to 4.9.0 for vulnerability fix
### What did you expect to happen?
Ideally, no insecure libs should be used.
### How can we automate the detection of these types of issues?
By using the [GitHub Actions](https://github.com/murphysecurity/actions) configurations provided by murphysec, we can conduct automatic code security checks in our CI pipeline.
### The specification of the pull request
[PR Specification](https://www.oscs1024.com/docs/pr-specification/) from OSCS
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org
Re: [PR] fix(sec): upgrade org.apache.jena:jena-arq to 4.9.0 [jena]
Posted by "rvesse (via GitHub)" <gi...@apache.org>.
rvesse closed pull request #2234: fix(sec): upgrade org.apache.jena:jena-arq to 4.9.0
URL: https://github.com/apache/jena/pull/2234
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org
Re: [PR] fix(sec): upgrade org.apache.jena:jena-arq to 4.9.0 [jena]
Posted by "rvesse (via GitHub)" <gi...@apache.org>.
rvesse commented on PR #2234:
URL: https://github.com/apache/jena/pull/2234#issuecomment-1920883801
Thanks for the PR but in this case we cannot accept it.
The module containing the `4.8.0` dependency is purely a benchmarking module used to compare performance numbers between the old version of one of our core API implementations with a newer version that was introduced from `4.9.0` onwards. So the usage of `4.8.0` is a) intentional and b) only for performance benchmarking purposes to ensure no substantative performance regressions. The usage of `4.8.0` within the benchmarking is tightly scoped to the API under test and does not use any of the portions of the API affected by CVE-2023-32200
As such there is no security risk involved here and I will close this issue
Please note that for future reference any security issues with any Apache project should be reported using the [Apache Security Process](https://www.apache.org/security/) and not via public PRs/issues.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@jena.apache.org
For additional commands, e-mail: pr-help@jena.apache.org