[jira] [Updated] (CAMEL-18346) Remove use of Xalan

Thu, 04 Aug 2022 02:52:08 -0700 


     [ 
https://issues.apache.org/jira/browse/CAMEL-18346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

PJ Fanning updated CAMEL-18346:
-------------------------------
    Description: 
Xalan-J has an unfixed CVE. It is possible that this will be fixed in the 
future but Xalan-J has had only one release since 2008 (in 2014).

https://www.cvedetails.com/cve/CVE-2022-34169/

Java has built-in support for TransformerFactory and XPathFactory. This means 
most apps that use Xalan-J can readily switch away. Saxon-HE is another well 
maintained alternative.

One place where Camel still uses Xalan:
https://github.com/apache/camel/blob/9d6ad653b6faa16e3c09047da66cd3bca94783ee/components/camel-xmlsecurity/pom.xml

There are profiles for testing in a number of poms:
eg https://github.com/apache/camel/blob/main/core/camel-core-engine/pom.xml#L325

  was:
Xalan-J has an unfixed CVE. It is possible that this will be fixed in the 
future but Xalan-J has had only one release since 2008 (in 2014).

https://www.cvedetails.com/cve/CVE-2022-34169/

Java has built-in support for TransformerFactory and XPathFactory. This means 
most apps that use Xalan-J can readily switch away. Saxon-HE is another well 
maintained alternative.

One place where Camel still uses Xalan:
https://github.com/apache/camel/blob/main/core/camel-core-engine/pom.xml#L325


> Remove use of Xalan
> -------------------
>
>                 Key: CAMEL-18346
>                 URL: https://issues.apache.org/jira/browse/CAMEL-18346
>             Project: Camel
>          Issue Type: Task
>          Components: build system
>            Reporter: PJ Fanning
>            Priority: Minor
>             Fix For: 3.19.0
>
>
> Xalan-J has an unfixed CVE. It is possible that this will be fixed in the 
> future but Xalan-J has had only one release since 2008 (in 2014).
> https://www.cvedetails.com/cve/CVE-2022-34169/
> Java has built-in support for TransformerFactory and XPathFactory. This means 
> most apps that use Xalan-J can readily switch away. Saxon-HE is another well 
> maintained alternative.
> One place where Camel still uses Xalan:
> https://github.com/apache/camel/blob/9d6ad653b6faa16e3c09047da66cd3bca94783ee/components/camel-xmlsecurity/pom.xml
> There are profiles for testing in a number of poms:
> eg 
> https://github.com/apache/camel/blob/main/core/camel-core-engine/pom.xml#L325



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to