You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/08/25 15:49:00 UTC

[jira] [Created] (NIFI-10395) Add Apache Xalan to Banned Dependencies

David Handermann created NIFI-10395:
---------------------------------------

             Summary: Add Apache Xalan to Banned Dependencies
                 Key: NIFI-10395
                 URL: https://issues.apache.org/jira/browse/NIFI-10395
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Tools and Build
            Reporter: David Handermann
            Assignee: David Handermann


Apache Xalan 2.7.2 was released in April 2014 and the description of [CVE-2022-34169|https://nvd.nist.gov/vuln/detail/CVE-2022-34169] highlights the fact that the project is dormant, with no future releases are planned.

Direct dependencies on Apache Xalan should not be necessary, as the standard Java installation includes a bundled version. Changes in NIFI-8417 excluded one transitive dependency on Xalan, so the root Maven configuration should be updated to add Xalan to the list of banned dependencies, ensuring that no future changes introduce it as a transitive dependency.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)