-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WFLY-16771] Remove bcel from jboss/xalan-j binaries (Fix CVE-2022-34… #7
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
This is a fork of the https://github.com/apache/xalan-j project, intended for use in producing bug fix releases from upstream Xalan 2.7.1. | ||
|
||
How to build | ||
------------ | ||
Switch to jdk 1.8 | ||
|
||
Add EE 8 or earlier servlet and ejb API jars to the classpath. | ||
|
||
For example: | ||
|
||
export CLASSPATH=~/.m2/repository/org/jboss/spec/javax/ejb/jboss-ejb-api_3.2_spec/2.0.0.Final/jboss-ejb-api_3.2_spec-2.0.0.Final.jar: \ | ||
~/.m2/repository/org/jboss/spec/javax/servlet/jboss-servlet-api_4.0_spec/2.0.0.Final/jboss-servlet-api_4.0_spec-2.0.0.Final.jar | ||
|
||
Clean and build | ||
|
||
./build.sh clean dist | ||
|
||
Install in the local Maven repository | ||
------------------------------------- | ||
First update the pom files maven/pom-serializer.xml and maven/pom-xalan.xml as needed (e.g. to update the GAV version). | ||
|
||
Then: | ||
|
||
maven/install.sh | ||
|
||
Deploy to the repository.jboss.org Maven repository | ||
--------------------------------------------------- | ||
First update the pom files maven/pom-serializer.xml and maven/pom-xalan.xml as needed (e.g. to update the GAV version). | ||
|
||
Then: | ||
|
||
maven/deploy.sh | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Script to deploy build output to JBoss Maven repository | ||
|
||
# Deploy xalan.jar and source files | ||
mvn org.apache.maven.plugins:maven-install-plugin:2.5.2::install-file \ | ||
-DpomFile=maven/pom-xalan.xml \ | ||
-Dfile=build/xalan.jar \ | ||
-Dsources=build/xalan-sources.jar | ||
|
||
# Deploy serializer.jar | ||
mvn org.apache.maven.plugins:maven-install-plugin:2.5.2::install-file \ | ||
-DpomFile=maven/pom-serializer.xml \ | ||
-Dfile=build/serializer.jar \ | ||
-Dsources=build/serializer-sources.jar | ||
|
||
# Deploy the full source zip | ||
mvn org.apache.maven.plugins:maven-install-plugin:2.5.2::install-file \ | ||
-DpomFile=maven/pom-xalan.xml \ | ||
-Dfile=build/xalan-j_2_7_1-src.zip \ | ||
-Dpackaging=zip \ | ||
-Dclassifier=source-release | ||
|
This file was deleted.
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
org.apache.xalan.xsltc.trax.TransformerFactoryImpl | ||
org.apache.xalan.processor.TransformerFactoryImpl | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Note this change, which I believe means a change in the default TransformerFactory for WF users. (I could be wrong.) The new value here is the one EAP has been using for many years. The existing value uses BCEL, which is not present in the xalan-j.jar that EAP ships. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I happen to have javax.servlet api in:
~/.m2/repository/javax/servlet/javax.servlet-api/3.1.0/javax.servlet-api-3.1.0.jar
~/.m2/repository/javax/servlet/javax.servlet-api/4.0.1/javax.servlet-api-4.0.1.jar
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Everyone will have different jars I'm sure, especially if they occasionally delete their maven repo. No change needed really.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1.
I went with the spec fork GAVs as the example just because it's more likely a typical WildFly dev would have those vs having the javax.* Eclipse artifacts.