[
https://issues.apache.org/jira/browse/XERCESJ-1783?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17995792#comment-17995792
]
Michael Glavassevich commented on XERCESJ-1783:
-----------------------------------------------
Also, publishing to Maven has never been part of any release process. What you
find in repositories has generally been put there by individuals that aren't
members of this project. The distributions published by the Xerces PMC are zip
files and are available here: https://dlcdn.apache.org/xerces/xml-commons/. The
binary zip does indeed contain the License and Notice files for the resolver.
> Not having License.txt in xml-resolver-1.1.jar
> ----------------------------------------------
>
> Key: XERCESJ-1783
> URL: https://issues.apache.org/jira/browse/XERCESJ-1783
> Project: Xerces2-J
> Issue Type: Improvement
> Components: Other
> Reporter: VIVEK BIBHUTI
> Priority: Minor
>
> Hi,
> We are using *xml-resolver-1.1.jar* in our project.
> One of our customer has reported that this jar doesn't contains License.txt
> file and raised as a critical vulnerability by their IQ scan (Sonatype).
> We explained that the MANIFEST.MF has a link to Apache site, where the
> license is already available publicly.
> Two question
> 1. Why the License file is not added to the jar itself?
> 2. Could you please check if the License.txt can be added in the
> xml-resolver-1.1.jar?
> [https://github.com/apache/xerces-j/tree/xml-commons-resolver]
> [https://mvnrepository.com/artifact/xml-resolver/xml-resolver/1.1]
>
> We have raised this query to LEGAL also they suggest us to raise another Jira
> in XERCESJ project. Below is the reference
> https://issues.apache.org/jira/browse/LEGAL-705
>
> Regards
> Vivek
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org
