From 5567233ba3babb78b27bd3149f1193741ad5a743 Mon Sep 17 00:00:00 2001 From: nscuro Date: Sat, 22 Jun 2024 18:48:18 +0200 Subject: [PATCH] Drop dependency on outdated `xerces` `xerces` does not support the `http://javax.xml.XMLConstants/property/accessExternalDTD` property that `cyclonedx-core-java` is using: ``` java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized. at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(Unknown Source) at org.cyclonedx.parsers.XmlParser.createSecureDocument(XmlParser.java:339) at org.cyclonedx.parsers.XmlParser.extractAllNamespaceDeclarations(XmlParser.java:310) at org.cyclonedx.parsers.XmlParser.identifySchemaVersion(XmlParser.java:296) at org.cyclonedx.parsers.XmlParser.parse(XmlParser.java:97) ``` The remaining code relying on `xerces` turned out to be unused, and was consequently removed as well. Signed-off-by: nscuro --- pom.xml | 13 ---- .../org/dependencytrack/util/XmlUtil.java | 73 +------------------ 2 files changed, 2 insertions(+), 84 deletions(-) diff --git a/pom.xml b/pom.xml index 717cbe0d05..54b790f9ac 100644 --- a/pom.xml +++ b/pom.xml @@ -338,19 +338,6 @@ ${lib.cloud-sql-connector-jdbc-sqlserver.version} - - - xerces - xercesImpl - 2.12.2 - - - xml-apis - xml-apis - - - - org.apache.commons commons-compress diff --git a/src/main/java/org/dependencytrack/util/XmlUtil.java b/src/main/java/org/dependencytrack/util/XmlUtil.java index 2bb2f549a9..beb4f9bb2d 100644 --- a/src/main/java/org/dependencytrack/util/XmlUtil.java +++ b/src/main/java/org/dependencytrack/util/XmlUtil.java @@ -18,83 +18,14 @@ */ package org.dependencytrack.util; -import org.xml.sax.SAXException; -import org.xml.sax.SAXNotRecognizedException; -import org.xml.sax.SAXNotSupportedException; - import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; -import javax.xml.parsers.SAXParser; -import javax.xml.parsers.SAXParserFactory; -import java.io.InputStream; - -import static org.apache.xerces.jaxp.JAXPConstants.JAXP_SCHEMA_LANGUAGE; - -import static org.apache.xerces.jaxp.JAXPConstants.JAXP_SCHEMA_SOURCE; -import static org.apache.xerces.jaxp.JAXPConstants.W3C_XML_SCHEMA; - public final class XmlUtil { - private XmlUtil() { } - - /** - * Constructs a validating secure SAX Parser. - * - * @param schemaStream One or more inputStreams with the schema(s) that the - * parser should be able to validate the XML against, one InputStream per - * schema - * @return a SAX Parser - * @throws javax.xml.parsers.ParserConfigurationException is thrown if there - * is a parser configuration exception - * @throws org.xml.sax.SAXNotRecognizedException thrown if there is an - * unrecognized feature - * @throws org.xml.sax.SAXNotSupportedException thrown if there is a - * non-supported feature - * @throws org.xml.sax.SAXException is thrown if there is a - * org.xml.sax.SAXException - */ - public static SAXParser buildSecureSaxParser(InputStream... schemaStream) throws ParserConfigurationException, - SAXNotRecognizedException, SAXNotSupportedException, SAXException { - final SAXParserFactory factory = SAXParserFactory.newInstance(); - factory.setNamespaceAware(true); - factory.setValidating(true); - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - factory.setFeature("http://xml.org/sax/features/external-general-entities", false); - factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); - factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - System.setProperty("javax.xml.accessExternalSchema", "file, https"); - - final SAXParser saxParser = factory.newSAXParser(); - saxParser.setProperty(JAXP_SCHEMA_LANGUAGE, W3C_XML_SCHEMA); - saxParser.setProperty(JAXP_SCHEMA_SOURCE, schemaStream); - return saxParser; - } - - /** - * Constructs a secure SAX Parser. - * - * @return a SAX Parser - * @throws javax.xml.parsers.ParserConfigurationException thrown if there is - * a parser configuration exception - * @throws org.xml.sax.SAXNotRecognizedException thrown if there is an - * unrecognized feature - * @throws org.xml.sax.SAXNotSupportedException thrown if there is a - * non-supported feature - * @throws org.xml.sax.SAXException is thrown if there is a - * org.xml.sax.SAXException - */ - public static SAXParser buildSecureSaxParser() throws ParserConfigurationException, - SAXNotRecognizedException, SAXNotSupportedException, SAXException { - final SAXParserFactory factory = SAXParserFactory.newInstance(); - factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - factory.setFeature("http://xml.org/sax/features/external-general-entities", false); - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - return factory.newSAXParser(); + private XmlUtil() { } /** @@ -102,7 +33,7 @@ public static SAXParser buildSecureSaxParser() throws ParserConfigurationExcepti * * @return a new document builder * @throws javax.xml.parsers.ParserConfigurationException thrown if there is - * a parser configuration exception + * a parser configuration exception */ public static DocumentBuilder buildSecureDocumentBuilder() throws ParserConfigurationException { final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();