[
https://issues.apache.org/jira/browse/CAMEL-18346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17599095#comment-17599095
]
Thomas Cunningham commented on CAMEL-18346:
-------------------------------------------
*Remaining xalan references after PR above* :
camel-atom, camel-fop, camel-spring-ws : all dependency exclusions, still needed
XMLConverter.java, XMLConverterHelper.java : I think these are the JDK classes
(com.sun.org.apache.xalan.internal) - I think these still apply.
{code:java}
components/camel-atom/pom.xml: <artifactId>xalan</artifactId>
components/camel-atom/pom.xml: <groupId>xalan</groupId>
components/camel-atom/pom.xml: <artifactId>xalan</artifactId>
components/camel-atom/pom.xml: <groupId>xalan</groupId>
components/camel-fop/pom.xml: <!-- exclude the dependency of
xalan to fix CAMEL-7737 -->
components/camel-fop/pom.xml: <groupId>xalan</groupId>
components/camel-fop/pom.xml: <artifactId>xalan</artifactId>
components/camel-spring-ws/pom.xml: <groupId>xalan</groupId>
components/camel-spring-ws/pom.xml:
<artifactId>xalan</artifactId>
components/camel-xmlsecurity/src/main/java/org/apache/camel/component/xmlsecurity/api/XmlSignatureHelper.java:
// previously we used javax.xml.transform.Transformer, however the JDK
xalan implementation did not work correctly with a specified encoding
components/camel-xslt-saxon/src/main/java/org/apache/camel/component/xslt/saxon/XsltSaxonBuilder.java:
// (see
com.sun.org.apache.xalan.internal.xsltc.trax.StAXStream2SAX).
components/camel-xslt-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl:
xmlns:date="http://xml.apache.org/xalan/java/java.util.Date";
components/camel-xslt-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl:
xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime";
components/camel-xslt-saxon/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl:
xmlns:str="http://xml.apache.org/xalan/java/java.lang.String";
core/camel-core/src/test/resources/org/apache/camel/component/xslt/transformCallEcho.xsl:
xmlns:echo="xalan://org.apache.camel.component.xslt.MyEcho"
core/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl:
xmlns:date="http://xml.apache.org/xalan/java/java.util.Date";
core/camel-core/src/test/resources/org/apache/camel/component/xslt/transform_text.xsl:
xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime";
core/camel-xml-jaxp/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java:
=
"com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl";
core/camel-xml-jaxp/src/main/java/org/apache/camel/support/builder/xml/XMLConverterHelper.java:
=
"com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl";
❯ {code}
> Remove use of Xalan
> -------------------
>
> Key: CAMEL-18346
> URL: https://issues.apache.org/jira/browse/CAMEL-18346
> Project: Camel
> Issue Type: Task
> Components: build system
> Reporter: PJ Fanning
> Priority: Minor
> Fix For: 3.19.0
>
>
> Xalan-J has an unfixed CVE. It is possible that this will be fixed in the
> future but Xalan-J has had only one release since 2008 (in 2014).
> https://www.cvedetails.com/cve/CVE-2022-34169/
> Java has built-in support for TransformerFactory and XPathFactory. This means
> most apps that use Xalan-J can readily switch away. Saxon-HE is another well
> maintained alternative.
> Places where Camel still uses Xalan:
> *
> https://github.com/apache/camel/blob/9d6ad653b6faa16e3c09047da66cd3bca94783ee/components/camel-xmlsecurity/pom.xml
> *
> https://github.com/apache/camel/blob/9d6ad653b6faa16e3c09047da66cd3bca94783ee/tooling/maven/camel-eip-documentation-enricher-maven-plugin/pom.xml#L73
> There are profiles for testing in a number of poms:
> eg
> https://github.com/apache/camel/blob/main/core/camel-core-engine/pom.xml#L325
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
