Switching from Xalan to a secure alternative #1302
Comments
e-reznik
changed the title
|
Any Update team on this ..?? This is critical from vulnerabilities perspective |
|
Is this because of xom? I don't think we use xalan directly. If so, please see: #1264 I hope to make a new release end of next week or start of the week after. There are a couple other changes I need to discuss with my PI, and I don't think we'll meet until then. In the meantime, you can compile from the dev branch if this is critical |
|
Thank you John
Appreciate your quick response on this .
Thanks & Regards,
Afrina Alam
Senior Product Architect - IGNITE Quality Platform
GBS Quality Engineering (IGNITE) | IBM Services
Mobile : +919590751286 | Email : ***@***.******@***.***>
Slack : ***@***.***
Webex : https://ibm.webex.com/meet/afrialam
Linked :https://www.linkedin.com/in/afrina-alam/
From: John Bauer ***@***.***>
Date: Wednesday, 11 January 2023 at 2:12 PM
To: stanfordnlp/CoreNLP ***@***.***>
Cc: Afrina Alam ***@***.***>, Comment ***@***.***>
Subject: [EXTERNAL] Re: [stanfordnlp/CoreNLP] Switching from Xalan to a secure alternative (Issue #1302)
Is this because of xom? I don't think we use xalan directly. [john@ localhost CoreNLP]$ find src -name "*java" -exec grep -H --ignore-case "xalan" "{}" ";" [john@ localhost CoreNLP]$ If so, please see: #1264 I hope to make a new release end of
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
Is this because of xom? I don't think we use xalan directly.
***@***.*** CoreNLP]$ find src -name "*java" -exec grep -H --ignore-case "xalan" "{}" ";"
***@***.*** CoreNLP]$
If so, please see: #1264<#1264>
I hope to make a new release end of next week or start of the week after. There are a couple other changes I need to discuss with my PI, and I don't think we'll meet until then. In the meantime, you can compile from the dev branch if this is critical
—
Reply to this email directly, view it on GitHub<#1302 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASBYL4IH463IBFS46ZB7IH3WRZXAFANCNFSM6AAAAAAQLRTFVE>.
You are receiving this because you commented.Message ID: ***@***.***>
|
|
4.5.2 now has an updated xom dependency. Would you check that it meets your needs? |
|
After reading those comments, I excluded xalan from my dependency. Not it's not showing anymore. |
|
seems like xalan is still being included as a dependency in xom 1.3.8. xom released 1.3.9 which removes the xalan dependency entirely. Please update to xom 1.3.9 |
|
This is already a thing in our dev branch: We will make a new release with the update in a few weeks. There is some cleanup work to be done on a previous project which used CoreNLP that we want to release at the same time |
|
They wound up releasing a new Xalan a few months back, and we found that there was something specifically in SUTime which expected XSLT, so we just kept it with the bugfix version of Xalan for the latest CoreNLP release. If this is still unsatisfactory, please let us know |
Core NLP uses xalan:xalan in the latest version as a dependency, which has several known vulnerabilities. As this project is deprecated, no fix will be provided.
It is advisable, to switch to an alternative, that is still being maintained. An alternative is Saxon XSLT, as it seems to be the successor of the Xalan project.
The text was updated successfully, but these errors were encountered: