The 【jdom2】 has not been maintained for a long time, please consider replacing it for security reason

[MoonLord-LM]

https://mvnrepository.com/artifact/com.rometools/rome/1.15.0
https://mvnrepository.com/artifact/org.jdom/jdom2

[MoonLord-LM]

The 【jdom2】 has not been maintained for a long time。
Please consider replacing it for security reason.

The latest version of 【jdom2】 is 2.0.6.
This is released in 2015.
It is too old.

[neroux]

It is too old.

What is that supposed to mean?

for security reason.

Could you link to any security issues of that library?

[MoonLord-LM]

In our company, we are advised not to use open source software that has not been maintained for too long.
I think it makes sense.
This software did not reveal CVE, maybe just because no one uses it, it does not mean it is safe.

[neroux]

Sorry, but that would be speculation. Software does not not work any more just because there haven't been updates in a while.

If you could point out security issues in it, that would be somewhat of an argument, otherwise it's still perfectly fine.

[MoonLord-LM]

Anyway, I still suggest using the Java standard API and removing the jdom2.
Consider replacing it for maintenance compatibility, maybe.

https://en.wikipedia.org/wiki/Java_API_for_XML_Processing

[shark-horse]

Vulnerability mentioned in the linked issue above (#469) is https://nvd.nist.gov/vuln/detail/CVE-2021-33813.

[PatrickGotthard]

Hi,

I've just released a new version that includes a jdom update.

Regards,
Patrick

[Brummolix]

I know that this issues is already closed.
Still, I would agree with the original poster.
I guess in longerterm you will run into problems with JDOM as the maintenance state is not clear.

For the last CVE (hunterhacker/jdom#189 ) the time to fix the CVE was about half a year! (issue 2021/06/24, mvn release 2021/12/08)

See also the discussions under https://markmail.org/search/list:org.jdom.interest#query:list%3Aorg.jdom.interest+page:1+mid:c4tvshivjq3afbhy+state:results or https://markmail.org/search/list:org.jdom.interest#query:list%3Aorg.jdom.interest+page:1+mid:tns7fj3glqhyfryw+state:results, there seem to be some serious problems with the original JDOM developers not beeing available.

Therefore I would also suggest to think about replacing JDOM.

[neroux]

Still, I would agree with the original poster.

I'd still stand by my earlier statement

Software does not not work any more just because there haven't been updates in a while.

But that

For the last CVE the time to fix the CVE was about half a year!

certainly is a valid objection. Should you consider replacing it I'd propose https://lagarto.jodd.org. @igr is rather active and quick with fixes :)

[PatrickGotthard]

Sorry, but replacing JDOM would effectively mean to rewrite the entire library - and that's not possible due to the lack of active developers.

[antoniosanct]

Hi, @PatrickGotthard !

Is it possible to replace JDOM2 with standard JDK DOM Implementation? Would it be a nice opportunity if I tell you that I've partially finished this task? Please, create a separate branch from master and (if you want) discuss with everybody some aspects like invalid tests (because of are not neccesary anymore) or the child navigation replaced from JDOM2 to JDK.

FYI, I've finished rome-core, rome-opml and 60% of rome-modules.

Regards,

Antonio.

[igr]

and that's not possible due to the lack of active developers.

Does this make Rome... err... replaceable?

(just giving a perspective, not starting a flame war - keep up a good work :)

[PatrickGotthard]

Hi @igr,

I try my best to keep all Rome dependencies up-to-date and to merge incoming pull-requests but currently the library is not actively developed.

I try to clean up the code, overhaul the documentation and release Rome 2, but I have no ETA when it will be finished.

Regards,
Patrick