Yes it's just xalan-2.7.2, and this solution seems to be/is painless
regarding the build and TCK. The Apache Standard Taglib requires it,
along with serializer-2.7.2. What makes adding this a breaking issue
Mark? If it helps get a release out now to resolve a known CVE then it's
+1 from me (hmm that rhymes). Once it is out then we can spend several
weeks working on a better solution.
Andy.
On 14/09/17 21:00, Jonathan Gallimore wrote:
I believe its only xalan required, and not xerces as well.
What's the rationale for the -1?
We'd like to release 7.0.4, and the community appears to want a release
based on feedback we have seen on the users list.
Changing the jstlel library appears to be not-entirely-trivial (unless
someone better than me wants to give some pointers). I'd like to try it,
but I don't want it to drag on for ages and hold up a release.
We already established that we'd like this to work out the box without
requiring the user to add anything earlier in this thread.
So, how do we want to proceed? The other option appears to be picking up an
updated version of the glassfish library we had before.
Jon
On 14 Sep 2017 13:26, "Mark Struberg" <[email protected]> wrote:
+1 to NOT have a hard xalan and xerces dependency.
Usually we don't need it but use the version which is packaged within the
JRE.
It should really remain optional pretty please.
LieGrue,
strub
Am 31.08.2017 um 16:25 schrieb Romain Manni-Bucau <[email protected]
:
Hmm, shout if wrong but think you misunderstood the "optional" in my
sentence. I meant we patch trunk to remove the adherence to xalan.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/
rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>
2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <
[email protected]>
:
Thanks Romain. That is definitely the simplest path - xalan is already
marked as an optional dependency, so we wouldn't need to do anything.
From
a compliance perspective, where would this leave us? Wouldn't we need
this
to work out of the box without adding libraries to be compliant? If it
doesn't affect us in that respect, then I think we're probably good to
go.
Jon
On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <
[email protected]
wrote:
Hi Jon
there is another thread on it (probably on user@)
I think we should just make xalan optional in the lib and upgrade.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://blog-rmannibucau.rhcloud.com> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/
rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory
<https://javaeefactory-rmannibucau.rhcloud.com>
2017-08-31 13:19 GMT+02:00 Jonathan Gallimore <
[email protected]>
:
Correction - that should be: "CDDL or GPL with classpath exception".
On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore <
[email protected]> wrote:
Great question. CDDL _or_ GPL, by the look of it.
https://github.com/javaee/jstl-api/blob/master/LICENSE - same as
JAXB
I
believe.
Jon
On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro <
[email protected]> wrote:
What is the licence for GlassFish one?
Le 31 août 2017 12:38, "Jonathan Gallimore" <
[email protected]
a écrit :
Hi
On master we shifted from openejb-jstl to
taglibs-standard-jstlel. I
have
done the same on the 1.7.x branch, specifically to move on from
the
old
openejb-jstl (looking at
https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The
taglibs-standard-jstlel
library does seem to depend on xalan, which we currently do not
include
in
TomEE.
The impact is that some XML functions in JSP code does not work,
for
example:
<%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml"; %>
<x:parse var="movies">
<movies>
<movie id="1" name="Wedding Crashers" director="David
Dobkin"
genre="Comedy" rating="7" year="2005" />
<movie id="2" name="Starsky & Hutch" director="Todd
Phillips"
genre="Action" rating="6" year="2004" />
<movie id="3" name="Shanghai Knights" director="David
Dobkin"
genre="Action" rating="6" year="2003" />
<movie id="4" name="I-Spy" director="Betty Thomas"
genre="Adventure"
rating="5" year="2002" />
<movie id="5" name="The Royal Tenenbaums" director="Wes
Anderson"
genre="Comedy" rating="8" year="2001" />
<movie id="6" name="Zoolander" director="Ben Stiller"
genre="Comedy"
rating="6" year="2001" />
<movie id="7" name="Shanghai Noon" director="Tom Dey"
genre="Comedy"
rating="7" year="2000" />
</movies>
</x:parse>
Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre"
/><br
/>
fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath
(this on
both 1.7.x and master)
Including Xalan does fix this, but its a 3MB dependency.
The alternative is to use org.glassfish.web:javax.
servlet.jsp.jstl
instead,
which I have tested and seems to work. Anyone have any thoughts?
Jon
.
