Open OrangeDog opened 2 years ago
Thanks!
When you make this change, I think you can also remove the xalan dependency from this project; it seems to have been added to upversion esapi's transitive dependency on xalan, esapi 2.3 no longer has a xalan dependency, so after this esapi update this project brings xalan in unnecessarily - which may trigger a different CVE warning in scans.
CVE-2022-23457 is having 9.8 CRITICAL severity. These changes should be considered.
@natrajms this project is unmaintained, so they're not going to do it. I've left instructions here for how to do it yourself.
2.3.0.0 has the fix, but also a breaking change. To get it to work, you need to bypass opensaml's attempt to configure it. Here is one method:
org.owasp.esapi.SecurityConfiguration
toorg.owasp.esapi.reference.DefaultSecurityConfiguration
.ESAPI.properties
(in one of various possible locations, including working directory and classpath). The minimal required content is below.Or set any other implementation of
org.owasp.esapi.SecurityConfiguration
to provide the necessary properties.