Document the resolver floor in the threat model

Installing a resolver no longer removes the hardening: the floor wraps
the caller's resolver instead of being replaced. Reflect that across the
threat model.

Add a "Resolvers" entry under the settings a caller may modify, listing
the typed set*Resolver methods, the DefaultHandler passed to
SAXParser.parse, and the StAX resolver properties (javax.xml.stream.resolver
and the com.ctc.wstx.*Resolver keys), with the caveat that the installed
resolver must resolve every resource the caller needs, since the floor
denies or ignores whatever it leaves unresolved.

Move the Woodstox resolver properties out of the reserved list, correct
the reserved-section note that previously called installing a resolver a
loosening, and reframe the out-of-scope entry to the remaining caller
responsibility: a resolver that resolves an untrusted resource fetches
it. The raw Xerces internal entity-resolver property stays reserved, as
the typed setter override does not wrap it.

Assisted-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 file changed
tree: 9b93f00a1beb951eda5c66212fef7c9408d50591
  1. .github/
  2. android-tests/
  3. src/
  4. .asf.yaml
  5. .gitattributes
  6. .gitignore
  7. AGENTS.md
  8. CODE_OF_CONDUCT.md
  9. CONTRIBUTING.md
  10. LICENSE.txt
  11. NOTICE.txt
  12. pom.xml
  13. README.md
  14. RELEASE-NOTES.txt
  15. SECURITY.md
README.md

Apache Commons XML

Java CI Maven Central Javadocs CodeQL OpenSSF Scorecard

Apache Commons XML provides secure-by-default JAXP factory creation, abstracting over implementation-specific XXE hardening differences between the stock JDK and external JAXP implementations (Android, Apache Xalan, Apache Xerces, Woodstox, Saxon-HE).

Documentation

More information can be found on the Apache Commons XML homepage. The Javadoc can be browsed. Questions related to the usage of Apache Commons XML should be posted to the user mailing list.

Getting the latest release

You can download source and binaries from our download page.

Alternatively, you can pull it from the central Maven repositories:

<dependency>
  <groupId>org.apache.commons</groupId>
  <artifactId>commons-xml</artifactId>
  <version>0.1.0</version>
</dependency>

Building

Building requires a Java JDK and Apache Maven. The required Java version is found in the pom.xml as the maven.compiler.source property.

From a command shell, run mvn without arguments to invoke the default Maven goal to run all tests and checks.

Contributing

We accept Pull Requests via GitHub. The developer mailing list is the main channel of communication for contributors. There are some guidelines which will make applying PRs easier for us:

  • No tabs! Please use spaces for indentation.
  • Respect the existing code style for each file.
  • Create minimal diffs - disable on save actions like reformat source code or organize imports. If you feel the source code should be reformatted create a separate PR for this change.
  • Provide JUnit tests for your changes and make sure your changes don't break any existing tests by running mvn.
  • Before you push a PR, run mvn (without arguments). This runs the default goal which contains all build checks.
  • To see the code coverage report, regardless of coverage failures, run mvn clean site -Dcommons.jacoco.haltOnFailure=false -Pjacoco

If you plan to contribute on a regular basis, please consider filing a contributor license agreement. You can learn more about contributing via GitHub in our contribution guidelines.

License

This code is licensed under the Apache License v2.

See the NOTICE.txt file for required notices and attributions.

Donating

You like Apache Commons XML? Then donate back to the ASF to support development.

Additional Resources

Apache Commons Components