I don't believe it is Ant itself that puts jquery into the api docs but the javadoc tool of the JDK does. "Fixing" the manual probably means re-creating it with a more recent JDK - if and only if the more recent JDK has actually upgraded its jquery dependency, that is.

Looking at CVE-2020-11023 and grepping through the code a bit I don't believe the code generated by the javadoc tool ever uses input from untrusted source at all, so it may just be that the apidocs generated simply are not affected by the vulnerabilty and thus no update is required. You may want to check that yourself.

This causes violations to be reported by Nexus IQ scans, which is annoying and causes administrative overhead.

Hello Alan, Peter,

Could one of you test the upcoming Ant 1.10.13 version which currently is in voting phase https://lists.apache.org/thread/5ovftmd8cj7sdstckq8m5d7r0g2q8x2k. I had a brief look at the generated javadoc and from what I can see this should no longer be an issue in this upcoming release. It would be helpful if you could try it out on some system where the scanning tool is running.

I glanced at the pre-release ZIP and I can confirm that the vulnerable jquery-3.3.1 has been updated to a non-vulnerable jquery-3.5.1.

I noticed that 3.5.1 is not the latest though, the latest is 3.6.2, or even 4.0.0 even if you're willing to accept a major version bump, but 3.5.1 is certainly good enough for now.

In order to really confirm that our build passes Nexus IQ I'll need an official build downloadable from Maven Central, but I'm confident that it will be fixed in apache-ant-1.10.13.

Thank you Peter for that quick check. Once the voting completes, this new release should be available soon.