You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "PJ Fanning (Jira)" <ji...@apache.org> on 2022/07/19 20:30:00 UTC
[jira] [Commented] (DRILL-8262) Xalan is EOL and has a never to be fixed CVE
[ https://issues.apache.org/jira/browse/DRILL-8262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17568722#comment-17568722 ]
PJ Fanning commented on DRILL-8262:
-----------------------------------
https://github.com/apache/drill/pull/2607
> Xalan is EOL and has a never to be fixed CVE
> --------------------------------------------
>
> Key: DRILL-8262
> URL: https://issues.apache.org/jira/browse/DRILL-8262
> Project: Apache Drill
> Issue Type: Improvement
> Reporter: PJ Fanning
> Priority: Major
>
> Xalan is no longer supported.
> https://lists.apache.org/thread/s8kjny5270ssfcp46v0fl39lk98987w7
> It is better to use JAXP TransformerFactory than using xalan directly. If you add xalan dependency just to ensure that you have a JAXP compliant transformer on the classpath, this is unnecessary - the Java runtime has a built-in implementation.
> Drill dependency:
> https://mvnrepository.com/artifact/org.apache.drill.exec/drill-java-exec/1.20.0
--
This message was sent by Atlassian Jira
(v8.20.10#820010)