[
https://issues.apache.org/jira/browse/NIFI-10395?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann updated NIFI-10395:
------------------------------------
Status: Patch Available (was: Open)
> Add Apache Xalan to Banned Dependencies
> ---------------------------------------
>
> Key: NIFI-10395
> URL: https://issues.apache.org/jira/browse/NIFI-10395
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Tools and Build
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Apache Xalan 2.7.2 was released in April 2014 and the description of
> [CVE-2022-34169|https://nvd.nist.gov/vuln/detail/CVE-2022-34169] highlights
> the fact that the project is dormant, with no future releases are planned.
> Direct dependencies on Apache Xalan should not be necessary, as the standard
> Java installation includes a bundled version. Changes in NIFI-8417 excluded
> one transitive dependency on Xalan, so the root Maven configuration should be
> updated to add Xalan to the list of banned dependencies, ensuring that no
> future changes introduce it as a transitive dependency.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
