The GitHub Actions job "Java CI" on commons-xml.git/feature/resolver-floor has failed. Run started by GitHub user ppkarwasz (triggered by ppkarwasz).
Head commit for run: 66c18ffe4f19143d081acb744170ca2d0deb99d5 / Piotr P. Karwasz <[email protected]> Document the resolver floor in the threat model Installing a resolver no longer removes the hardening: the floor wraps the caller's resolver instead of being replaced. Reflect that across the threat model. Add a "Resolvers" entry under the settings a caller may modify, listing the typed set*Resolver methods, the DefaultHandler passed to SAXParser.parse, and the StAX resolver properties (javax.xml.stream.resolver and the com.ctc.wstx.*Resolver keys), with the caveat that the installed resolver must resolve every resource the caller needs, since the floor denies or ignores whatever it leaves unresolved. Move the Woodstox resolver properties out of the reserved list, correct the reserved-section note that previously called installing a resolver a loosening, and reframe the out-of-scope entry to the remaining caller responsibility: a resolver that resolves an untrusted resource fetches it. The raw Xerces internal entity-resolver property stays reserved, as the typed setter override does not wrap it. Assisted-By: Claude Opus 4.8 (1M context) <[email protected]> Report URL: https://github.com/apache/commons-xml/actions/runs/28849559294 With regards, GitHub Actions via GitBox
