Upgrade Jena version to resolve CVE-2023-22665

[costas80]

A high importance CVE was published that affects the Jena version used within this library (see CVE-2023-22665) that would require Jena to be upgraded to (at least) version 4.8.0. Is this something planned? Thanks!

[HolgerKnublauch]

We are currently updating our own (commercial) product code base to 4.8. Once that's complete, I could check on the impact of the Jena changes to the SHACL API.

As a word of caution though, we are no longer using the same code in our product as this open source project. This makes it difficult for me to test this beyond the automated test cases. It would be better if someone from the community could contribute a PR that is tested for additional use cases.

[lolgab]

@HolgerKnublauch Have you considered donating this project to Apache so maybe can merged with Jena and be maintained together with it? This is probably the best SHACL implementation for Java and it's a pity if remains not updated and not usable with the latest Jena.

[HolgerKnublauch]

I am open in any direction here. It is quite obvious that my time for this project is limited as I mainly work on the commercial code base. Regardless of whether this gets turned into an Apache project, it should have a new co-owner. If there is someone here who wants to maintain it, I'd happily give the required permissions. To start, someone could make a PR to upgrade it to the latest Jena version. If there are no volunteers here, then why would it change under Apache. And Jena already has its own SHACL engine built-in.

[costas80]

@HolgerKnublauch are you aware of a feature/coverage gap between the Topbraid SHACL engine and that of Jena?

Regarding at least a PR to bump the Jena version I've had it on my TODO list since a while now but I haven't found any time (and in general I'm very pressed to find availability). Still hoping I can find some time to contribute (at least) this.

[HolgerKnublauch]

@afs would know the state of the SHACL engine in Jena. I believe the main difference is the support for SHACL-AF in the TopBraid API.

[afs]

If there are no volunteers here, then why would it change under Apache.

Exactly. Community over Code. There is no such thing as "finished" code. It has to be maintained for security.

FYI: there is also https://www.cve.org/CVERecord?id=CVE-2023-32200 -- upgrade to 4.9.0 ideally 4.10.0.

[afs]

Jena uses deprecations over several versions to indicate planned changes. Often they are just left in place. In Jena5, there is an internal clear out.

Deprecations. Not all are for removal; the deprecation message should help.

https://jena.apache.org/documentation/javadoc/jena/deprecated-list.html https://jena.apache.org/documentation/javadoc/arq/deprecated-list.html

[ashleycaselli]

Release v1.4.3 closes this issue.