Consider JRE provided JAXP implementation over deprecated Xerces for XML parsing #3110
Replies: 2 comments 8 replies
-
@drkstr101 Thank you for asking these questions. CVE-2012-0881 has been resolved since Nokogiri v1.9.0: #1831 It may be possible to upgrade xerces; I'm really looking for help maintaining the JRuby implementation since I'm not a JRuby user myself. Are you interested in helping out? |
Beta Was this translation helpful? Give feedback.
-
I've spent a bit more time understanding the feature requirements, guiding principles, etc. of Nokogiri, and feel it would be worth the effort to produce a Java extension rewritten to use nothing but native public APIs for XML/DOM parsing. I've looked into Neko, and I'm pretty sure it's just using the underlying DOM parser in Xerces, so we should have no problems there. All said and done it should behave exactly the same as it did before the rewrite. Otherwise I would say the project is a failure. It may take a while since I will be doing this in my spare time, but I think it would be an interesting fun little project with good learning potential. I will probably have a ton of questions and may need a bit of assistance. I hope that's OK. Cheers! |
Beta Was this translation helpful? Give feedback.
-
Hello, I have been tasked with eliminating CVE-2012-0881 and CVE-2013-4002 from our automated vulnerability report, which I have traced down to a Xerces dependency brought in from this project.
While Xerces was the defacto XML parser for quite a long time, it has been considered somewhat deprecated (IMHO) since Java 1.8, and it is now suggested to use the built-in implementation of JAXP provided by the JRE. I've taken a quick peek at the code and see that Xerces is referenced directly, so replacing it to use standard APIs may take a bit of work, which I would be willing to assist.
If replacing Xerces is impractical, please consider pinning
xerces:xercesImpl:2.12.2
or later to address open vulnerabilities. Upgrading to the newer JAXP API would still be advisable in this case, for future-proofing reasons.Please also understand that I'm not an expert on this topic, so I could be mistaken about any or all of these claims.
Sources
Beta Was this translation helpful? Give feedback.
All reactions