Explore replacements for Xalan-J #1829
Comments
|
I don't believe there's been much forward momentum on this, but another motivator to make a move came up recently in the form of a CVE for Xalan: The comment here asks whether we might be able to transition (at least) to the shipping Xalan in OpenJDK, to which the answer is "probably": https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qwq9-89rg-ww72#advisory-comment-74545 In any case this should probably be addressed sooner than later since Xalan-J has been EOL for many years now, and is only being maintained in JDK as part of JDK. Saxon may be the best path forward, but using the JDK Xalan may be a short-term way to avoid the super-stale external version. |
|
@headius Thanks for commenting. I may need help with the mechanics of switching to the OpenJDK version of Xalan. I've got a branch where I've updated the package paths, but there are a few places where the API has changed that I need to work through. I'll push it shortly. |
|
I've created a draft PR migrating to the JDK Xalan that needs help to get unstuck: #2632 |
@headius so the only downside is we will need to add-opens the internal |
|
#2632 is a PR that @kares and I collaborated on to try to move Nokogiri away from upstream Xalan to using the JDK internal packages. Unfortunately, relying on JDK internals doesn't seem to work well (at least not without a bit more work and potentially breaking changes). Java 17 disallows usage of internals with this error: In @kares's words:
The only other option that's been suggested is porting to Saxon. I'm not comfortable enough with these libraries to estimate how much effort that would be. Does anybody here want to hazard a guesstimate? Are there any other options (to Xalan-J) we haven't considered? |
|
👍 and just to clarify:
I guess ~ 80% should be easy but than there's a lot of internals used which might be impossible -> rewriting those parts with Saxon specific APIs. My raw guess would be 10 work days. |
|
Are these illegal accesses from using reflection to dig inside Xalan? If so we might be able to reduce these by being less invasive, but perhaps that would hinder compatibility. Moving to a supported external library like Saxon would definitely be the best option long term, but I agree with @kares it would involve at least a week or two of work. |
From what we've bumped into so far it was not reflection - simply using Xalan's classes (from the |
|
I think the flag we'd want is I am not familiar with the Xalan-related code in Nokogiri... is there a reason we can't just use the published XSLT APIs? Can one of you point out some example code that requires direct access to Xalan? |
|
Poking around outside of Xalan, it really seems like Saxon is the only game in town, and for sure if you want XSL 2.0 or 3.0 support. Given the lifecycle of Xalan and the inaccessibility of the JDK version, I think we will need to bite the bullet and move to Saxon sooner or later. |
|
FWIW, seems our ASF friends did cut a Xalan-J |
See #1760 for more context.
The JRuby implementation of Nokogiri uses Xalan-J for XSLT support, but this thread reveals that development (and likely support) has stalled on that project.
A potential replacement, noted in the thread linked above, is Saxon. There may be other potential replacements as well.
The outcome intended for this issue is to do some exploration of replacing Xalan-J:
Tagging @jvshahid and @kares for visibility
The text was updated successfully, but these errors were encountered: