Open goneall opened 5 years ago
goneall
commented
5 years ago The POM file already has version 0.12.0 specified before Jena dependency. For some reason, 0.10.0 is still being included in the executables. Perhaps someone more familiar with POM files could take a look and see what the issue is and provide a PR to fix.
imskr
commented
4 years ago @goneall Can I work on this?
goneall
commented
4 years ago @imskr Yes - thanks
Gautime
commented
4 years ago @imskr Are you still working on it?
imskr
commented
4 years ago Yeah
The current version used by Jena ARQ is 0.10.0 which has a medium severity CVE-2018-11798.
Although likely does not pose a threat to the current usage of libthrift within the SPDX tools, it should be upgraded to remove the vulnerability.