-1

Currently am using JDK 1.8. Need to know what is jaxp version available. To avoid sonar violation , trying set below properties , resulting in "org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized." SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); referring below https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#schemafactory also checked many blogs stating jaxp version 1.5 above should support is the information found . Any suggesting will help me to debug more .

Kamalashree Sundar
  • 29
  • 2
  • “javax” is not a product, and has no version. See [*javax vs java package*](https://stackoverflow.com/q/727844/642706) and the [tutorial by Oracle](https://docs.oracle.com/javase/tutorial/java/package/index.html). – Basil Bourque Apr 03 '22 at 16:00

1 Answers1

1

There is no such thing as a "javax version". You have misread the page you linked to. What it actually says is:

Note: Use of the following XMLConstants requires JAXP 1.5, which was added to Java in 7u40 and Java 8:

JAXP != javax

JAXP 1.5 actually refers to a specification. And as stated in the text I just quoted, Java 8 supports the relevant features of the JAXP 1.5 specification.

So if you want to use the constants listed in the OWASP cheatsheet, you need to build your code for Java 7u40 or Java 8 or later, and run it on a JVM that provides a JAXP 1.5 or later implementation.

(In fact Java 8 supports JAXP 1.6 ... according to https://docs.oracle.com/javase/8/docs/technotes/guides/xml/jaxp/index.html)

If you are getting runtime errors saying that the those properties are not supported, that implies that you have configured your application to use an XML implementation (provider) that doesn't support JAXP 1.5. But you haven't said anything about that ...

It is possible that these Q&As are relevant:

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • thanks , currently am using java 8 , how to find JAXP version? – Kamalashree Sundar Apr 03 '22 at 17:27
  • The JAXP version of the standard XML provider in Java 8 is 1.6. But it looks like your application is using a different version. See https://stackoverflow.com/questions/1798366 – Stephen C Apr 03 '22 at 23:06
  • I already tried this I get it as "loaded from Java Runtime", not able to find the version. Is any way I can explicitly specify in pom file to fetch the JAXP1.5 version. – Kamalashree Sundar Apr 04 '22 at 02:40
  • Before you do that, tell us everything that Daniel Fortunov's code outputs. `return MessageFormat.format("Using JAXP implementation ''{0}'' ({1}) version {2} ({3}){4}", p.getName(), p.getImplementationVendor(), p.getSpecificationVersion(), p.getImplementationVersion(), source == null ? "." : " loaded from: " + source.getLocation());` – Stephen C Apr 04 '22 at 02:45
  • It prints to - Using JAXP implementation 'org.apache.xerces.jaxp.validation' (null) version null (null) loaded from: file:/opt/oss/NSN-idk/apache-servicemix-3.4.0/lib/xercesImpl-2.8.1.jar – Kamalashree Sundar Apr 04 '22 at 07:32
  • Right ... so you need a different implementation because Xerces 2.8.1 does not support JAXP 1.5. In fact, from what I can make out even the most recent version of Xerces doesn't support it. – Stephen C Apr 04 '22 at 09:58
  • thanks for your response. This we need to add for SONAR purposes. Is there any way to check if this is valid before setting the property schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "), so that it works when upgraded to higher version of Java 9 or above which packages JAXP 1.5 and for lower version, the property will not be set and no sonar violation will be raised? – Kamalashree Sundar Apr 04 '22 at 14:29
  • You are missing the point. If you want to fix the Sonar warning you have to change your app's dependencies so that it does not (directly or indirectly) depend on Xerces. Then you will be able to use those constants without runtime errors. The other option is to take the risk and ignore the Sonar warnings. I do not think there is a third option. – Stephen C Apr 04 '22 at 14:36