Open deegree-ci opened 5 years ago
There are PR #1262 and #1263 to resolve known security issues CVE-2020-11987 in Apache Batik < 1.14 (deegree uses 1.7). Users are advised to verify that their installations are not effected by this vulnerability and may consider to disable SVG support (https://download.deegree.org/documentation/current/html/#_advanced_symbolization).
The following classes do have references to Apache Batik:
using the following types of Batik API:
import org.apache.batik.dom.GenericDOMImplementation;
import org.apache.batik.svggen.SVGGraphics2D;
import org.apache.batik.transcoder.TranscoderException;
import org.apache.batik.transcoder.TranscoderInput;
import org.apache.batik.transcoder.TranscoderOutput;
import org.apache.batik.transcoder.image.PNGTranscoder;
import org.apache.batik.bridge.BridgeContext;
import org.apache.batik.bridge.DocumentLoader;
import org.apache.batik.bridge.GVTBuilder;
import org.apache.batik.bridge.UserAgent;
import org.apache.batik.bridge.UserAgentAdapter;
import org.apache.batik.dom.svg.SAXSVGDocumentFactory;
import org.apache.batik.gvt.GVTTreeWalker;
import org.apache.batik.gvt.GraphicsNode;
import org.apache.batik.gvt.RootGraphicsNode;
@copierrj suggestion for batik replacement: https://www.jfree.org/jfreesvg/
Another alternative could be the library https://github.com/blackears/svgSalamander
deegree currently uses Apache Batik for SVG support. We need a lightweight replacement for Apache Batik. @tfr42 written by