remove xalan dependency due to security vulnerability
leePyramid opened this issue · 6 comments
leePyramid commented
The CoreNlp transitively brings xalan as a 3rd party dependency.
coreNLP -> xom -> xalan
xalan is an old XML processor which has a severe security vulnerability:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169
When are you planning on removing the xalan dependency from the project ?
We can't afford having this critical vulnerability inside our project.
AngledLuffa commented
We posted an updated version, 4.5.2. Would you check that it no longer pulls in xalan unnecessarily?
leePyramid commented
AngledLuffa commented
Can you use the dependency exclusion to keep it from appearing?
https://maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html
…On Sat, Jan 21, 2023 at 10:16 PM leePyramid ***@***.***> wrote:
Hi John,
Appreciate the follow back.
Unfortunately I'm still getting xalan.
Output of maven dependency tree:
[image: image]
<https://user-images.githubusercontent.com/122274295/213903278-8eb0fe3b-801b-4f82-93da-f82d6b123a21.png>
—
Reply to this email directly, view it on GitHub
<#1329 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA2AYWJZR4YNKIH53EU7WLTWTTGELANCNFSM6AAAAAAT3YKEOM>
.
You are receiving this because you commented.Message ID:
***@***.***>
leePyramid commented
Hi,
Yes, this works0 - Thanks.
If I exclude this, which operation in the NLP will not work? when will it try to use xalan?
AngledLuffa commented
Probably won't be an issue. It's mostly used in the web server to turn the XML output into HTML