From 209a065bd16b5e20d86b2fcd147331c76f23d381 Mon Sep 17 00:00:00 2001
From: exceptionfactory <exceptionfactory@apache.org>
Date: Sat, 23 Jul 2022 15:35:48 -0500
Subject: [PATCH] NIFI-10271 Upgraded Xerces from 2.12.1 to 2.12.2

- Suppressed false positive vulnerability report for CVE-2017-10355
---
 nifi-dependency-check-maven/suppressions.xml           |  5 +++++
 nifi-nar-bundles/nifi-hive-bundle/pom.xml              |  6 ++++++
 .../nifi-media-bundle/nifi-media-processors/pom.xml    | 10 ++++++++++
 .../nifi-scripting-processors/pom.xml                  |  2 +-
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
index db3e58a79400..20dcabe7795d 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -129,4 +129,9 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-morphline\-solr\-sink@.*$</packageUrl>
         <cpe>cpe:/a:apache:solr</cpe>
     </suppress>
+    <suppress>
+        <notes>CVE-2017-10355 does not apply to Xerces 2.12.2</notes>
+        <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
+        <cve>CVE-2017-10355</cve>
+    </suppress>
 </suppressions>
diff --git a/nifi-nar-bundles/nifi-hive-bundle/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/pom.xml
index 60094dd704f2..54991ac0a5fb 100644
--- a/nifi-nar-bundles/nifi-hive-bundle/pom.xml
+++ b/nifi-nar-bundles/nifi-hive-bundle/pom.xml
@@ -97,6 +97,12 @@
                 <artifactId>ant</artifactId>
                 <version>1.10.12</version>
             </dependency>
+            <!-- Override Xerces 2.9.1 in Hive 1.1 and 1.2 -->
+            <dependency>
+                <groupId>xerces</groupId>
+                <artifactId>xercesImpl</artifactId>
+                <version>2.12.2</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
diff --git a/nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml b/nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
index 1fad27fd7dd5..08e08ac99d8e 100644
--- a/nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-media-bundle/nifi-media-processors/pom.xml
@@ -29,6 +29,16 @@
         <tika.version>2.4.1</tika.version>
     </properties>
 
+    <dependencyManagement>
+        <dependencies>
+            <!-- Override Xerces 2.12.1 from Tika -->
+            <dependency>
+                <groupId>xerces</groupId>
+                <artifactId>xercesImpl</artifactId>
+                <version>2.12.2</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
     <dependencies>
         <dependency>
             <groupId>org.apache.nifi</groupId>
diff --git a/nifi-nar-bundles/nifi-scripting-bundle/nifi-scripting-processors/pom.xml b/nifi-nar-bundles/nifi-scripting-bundle/nifi-scripting-processors/pom.xml
index 9e2178c4c9f4..8b2adb076639 100644
--- a/nifi-nar-bundles/nifi-scripting-bundle/nifi-scripting-processors/pom.xml
+++ b/nifi-nar-bundles/nifi-scripting-bundle/nifi-scripting-processors/pom.xml
@@ -112,7 +112,7 @@
         <dependency>
             <groupId>xerces</groupId>
             <artifactId>xercesImpl</artifactId>
-            <version>2.12.1</version>
+            <version>2.12.2</version>
         </dependency>
         <dependency>
             <groupId>org.apache.nifi</groupId>