[
https://issues.apache.org/jira/browse/NIFI-10395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17584963#comment-17584963
]
ASF subversion and git services commented on NIFI-10395:
--------------------------------------------------------
Commit d9b3257e33da272370a625efcedfd7e46f003a53 in nifi's branch
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=d9b3257e33 ]
NIFI-10395 Added Apache Xalan to banned dependencies
> Add Apache Xalan to Banned Dependencies
> ---------------------------------------
>
> Key: NIFI-10395
> URL: https://issues.apache.org/jira/browse/NIFI-10395
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Tools and Build
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Minor
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Apache Xalan 2.7.2 was released in April 2014 and the description of
> [CVE-2022-34169|https://nvd.nist.gov/vuln/detail/CVE-2022-34169] highlights
> the fact that the project is dormant, with no future releases are planned.
> Direct dependencies on Apache Xalan should not be necessary, as the standard
> Java installation includes a bundled version. Changes in NIFI-8417 excluded
> one transitive dependency on Xalan, so the root Maven configuration should be
> updated to add Xalan to the list of banned dependencies, ensuring that no
> future changes introduce it as a transitive dependency.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
