Skip to content

Conversation

benthurley82
Copy link

CVEs are being reported against compile time dependencies of JDOM. Whilst this is fairly minor, as these dependencies are optional at runtime, it does still have the potential to show up in security scans which can be a problem for anyone using JDOM, particularly in a regulated or security conscious domain.

To fix this I did the following:

  • Updated xerces to 2.12.2
  • Updated xalan to 2.7.3
  • Updated xalan-serializer to 2.7.3
  • Updated any relevant LICENSE and NOTICE files that were in the lib folder
  • Updated the build.xml file to point to the new dep versions
  • Updated the pom.xml to declare the correct versions

This should resolve issue #201, issue #203 looks to be a duplicate and should also be resolved.

Note: also issue #216 is a different issue but if making a new build to release this change then the suggested fix in that issue should also be included to ensure a clean bill of health in security scans.

Thanks
Ben

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant