[ https://issues.apache.org/jira/browse/CAMEL-18346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17598551#comment-17598551 ]
Thomas Cunningham commented on CAMEL-18346: ------------------------------------------- https://github.com/apache/camel/pull/8247 > Remove use of Xalan > ------------------- > > Key: CAMEL-18346 > URL: https://issues.apache.org/jira/browse/CAMEL-18346 > Project: Camel > Issue Type: Task > Components: build system > Reporter: PJ Fanning > Priority: Minor > Fix For: 3.19.0 > > > Xalan-J has an unfixed CVE. It is possible that this will be fixed in the > future but Xalan-J has had only one release since 2008 (in 2014). > https://www.cvedetails.com/cve/CVE-2022-34169/ > Java has built-in support for TransformerFactory and XPathFactory. This means > most apps that use Xalan-J can readily switch away. Saxon-HE is another well > maintained alternative. > Places where Camel still uses Xalan: > * > https://github.com/apache/camel/blob/9d6ad653b6faa16e3c09047da66cd3bca94783ee/components/camel-xmlsecurity/pom.xml > * > https://github.com/apache/camel/blob/9d6ad653b6faa16e3c09047da66cd3bca94783ee/tooling/maven/camel-eip-documentation-enricher-maven-plugin/pom.xml#L73 > There are profiles for testing in a number of poms: > eg > https://github.com/apache/camel/blob/main/core/camel-core-engine/pom.xml#L325 -- This message was sent by Atlassian Jira (v8.20.10#820010)