CoreNLP
CoreNLP copied to clipboard
stanfordnlp
Switching from Xalan to a secure alternative
Core NLP uses xalan:xalan in the latest version as a dependency, which has several known vulnerabilities. As this project is deprecated, no fix will be provided.
It is advisable, to switch to an alternative, that is still being maintained. An alternative is Saxon XSLT, as it seems to be the successor of the Xalan project.
Any Update team on this ..?? This is critical from vulnerabilities perspective
Is this because of xom? I don't think we use xalan directly.
[john@localhost CoreNLP]$ find src -name "*java" -exec grep -H --ignore-case "xalan" "{}" ";"
[john@localhost CoreNLP]$
If so, please see: https://github.com/stanfordnlp/CoreNLP/issues/1264
I hope to make a new release end of next week or start of the week after. There are a couple other changes I need to discuss with my PI, and I don't think we'll meet until then. In the meantime, you can compile from the dev branch if this is critical
Thank you John
Appreciate your quick response on this .
Thanks & Regards, Afrina Alam Senior Product Architect - IGNITE Quality Platform GBS Quality Engineering (IGNITE) | IBM Services Mobile : +919590751286 | Email : @.@.> Slack : @.*** Webex : https://ibm.webex.com/meet/afrialam Linked :https://www.linkedin.com/in/afrina-alam/
From: John Bauer @.> Date: Wednesday, 11 January 2023 at 2:12 PM To: stanfordnlp/CoreNLP @.> Cc: Afrina Alam @.>, Comment @.> Subject: [EXTERNAL] Re: [stanfordnlp/CoreNLP] Switching from Xalan to a secure alternative (Issue #1302) Is this because of xom? I don't think we use xalan directly. [john@ localhost CoreNLP]$ find src -name "*java" -exec grep -H --ignore-case "xalan" "{}" ";" [john@ localhost CoreNLP]$ If so, please see: #1264 I hope to make a new release end of ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd
Is this because of xom? I don't think we use xalan directly.
@.*** CoreNLP]$ find src -name "*java" -exec grep -H --ignore-case "xalan" "{}" ";"
@.*** CoreNLP]$
If so, please see: #1264https://github.com/stanfordnlp/CoreNLP/issues/1264
I hope to make a new release end of next week or start of the week after. There are a couple other changes I need to discuss with my PI, and I don't think we'll meet until then. In the meantime, you can compile from the dev branch if this is critical
— Reply to this email directly, view it on GitHubhttps://github.com/stanfordnlp/CoreNLP/issues/1302#issuecomment-1378409304, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASBYL4IH463IBFS46ZB7IH3WRZXAFANCNFSM6AAAAAAQLRTFVE. You are receiving this because you commented.Message ID: @.***>
4.5.2 now has an updated xom dependency. Would you check that it meets your needs?
seems like xalan is still being included as a dependency in xom 1.3.8. xom released 1.3.9 which removes the xalan dependency entirely. Please update to xom 1.3.9
This is already a thing in our dev branch:
https://github.com/stanfordnlp/CoreNLP/commit/c8772b740dbde0e50a1f4cbc941b368710c9de16
We will make a new release with the update in a few weeks. There is some cleanup work to be done on a previous project which used CoreNLP that we want to release at the same time
They wound up releasing a new Xalan a few months back, and we found that there was something specifically in SUTime which expected XSLT, so we just kept it with the bugfix version of Xalan for the latest CoreNLP release. If this is still unsatisfactory, please let us know