mr-zepol
commented
3 months ago hey @nscuro for some reason I can't reply to your last comment, I can do this in a new PR, I want to focus this on the fix, and then we can add the option to set their on DocumentBuilderFactory but to be honest I find it useless, this is not to parse the file, this is to get the schema version, the actual process is done with Jackson
jkowalleck
During some testing, it was found that the parser for XML was vulnerable to XML External Entity (XXE) Processing.
After further investigation from Sonatype team, it was found it was due to the XPath Processing done to get the schema version