Thanks Romain. That is definitely the simplest path - xalan is already marked as an optional dependency, so we wouldn't need to do anything. From a compliance perspective, where would this leave us? Wouldn't we need this to work out of the box without adding libraries to be compliant? If it doesn't affect us in that respect, then I think we're probably good to go.
Jon On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <rmannibu...@gmail.com> wrote: > Hi Jon > > there is another thread on it (probably on user@) > > I think we should just make xalan optional in the lib and upgrade. > > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <https://blog-rmannibucau.rhcloud.com> | Old Blog > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > <https://javaeefactory-rmannibucau.rhcloud.com> > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore < > jonathan.gallim...@gmail.com> > : > > > Correction - that should be: "CDDL or GPL with classpath exception". > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore < > > jonathan.gallim...@gmail.com> wrote: > > > > > Great question. CDDL _or_ GPL, by the look of it. > > > https://github.com/javaee/jstl-api/blob/master/LICENSE - same as JAXB > I > > > believe. > > > > > > Jon > > > > > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro < > > > jlmonte...@tomitribe.com> wrote: > > > > > >> What is the licence for GlassFish one? > > >> > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" < > > jonathan.gallim...@gmail.com > > >> > > > >> a écrit : > > >> > > >> > Hi > > >> > > > >> > On master we shifted from openejb-jstl to taglibs-standard-jstlel. I > > >> have > > >> > done the same on the 1.7.x branch, specifically to move on from the > > old > > >> > openejb-jstl (looking at > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The > > >> > taglibs-standard-jstlel > > >> > library does seem to depend on xalan, which we currently do not > > include > > >> in > > >> > TomEE. > > >> > > > >> > The impact is that some XML functions in JSP code does not work, for > > >> > example: > > >> > > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml"; %> > > >> > > > >> > <x:parse var="movies"> > > >> > <movies> > > >> > <movie id="1" name="Wedding Crashers" director="David Dobkin" > > >> > genre="Comedy" rating="7" year="2005" /> > > >> > <movie id="2" name="Starsky & Hutch" director="Todd > > Phillips" > > >> > genre="Action" rating="6" year="2004" /> > > >> > <movie id="3" name="Shanghai Knights" director="David Dobkin" > > >> > genre="Action" rating="6" year="2003" /> > > >> > <movie id="4" name="I-Spy" director="Betty Thomas" > > >> genre="Adventure" > > >> > rating="5" year="2002" /> > > >> > <movie id="5" name="The Royal Tenenbaums" director="Wes > > Anderson" > > >> > genre="Comedy" rating="8" year="2001" /> > > >> > <movie id="6" name="Zoolander" director="Ben Stiller" > > >> genre="Comedy" > > >> > rating="6" year="2001" /> > > >> > <movie id="7" name="Shanghai Noon" director="Tom Dey" > > >> genre="Comedy" > > >> > rating="7" year="2000" /> > > >> > </movies> > > >> > </x:parse> > > >> > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" /><br > > /> > > >> > > > >> > fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath > > >> (this on > > >> > both 1.7.x and master) > > >> > > > >> > Including Xalan does fix this, but its a 3MB dependency. > > >> > > > >> > The alternative is to use org.glassfish.web:javax.servlet.jsp.jstl > > >> > instead, > > >> > which I have tested and seems to work. Anyone have any thoughts? > > >> > > > >> > Jon > > >> > > > >> > > > > > > > > >
