Update dependency org.xmlunit:xmlunit-core to v2.10.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.xmlunit:xmlunit-core (source)	2.8.3 -> 2.10.0

GitHub Vulnerability Alerts

CVE-2024-31573

Impact

When performing XSLT transformations XMLUnit for Java did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.

Patches

Users are advised to upgrade to XMLUnit for Java 2.10.0 where the default has been changed by means of xmlunit/xmlunit@b81d48b

Workarounds

XMLUnit's main use-case is performing tests on code that generates or processes XML. Most users will not use it to perform arbitrary XSLT transformations.

Users running XSLT transformations with untrusted stylesheets should explicitly use XMLUnit's APIs to pass in a pre-configured TraX TransformerFactory with extension functions disabled via features and attributes. The required setFactory or setTransformerFactory methods have been available since XMLUnit for Java 2.0.0.

References

Bug Report
JAXP Security Guide

---

Release Notes

xmlunit/xmlunit (org.xmlunit:xmlunit-core)

v2.10.0

Compare Source

• add a new ElementSelectors.byNameAndAllAttributes variant that filters attributes before deciding whether elements can
  be compared.
  Inspired by Issue #​259

• By default the TransformerFactorys created will now try to disable extension functions. If you need extension
  functions for your transformations you may want to pass in your own instance of TransformerFactory and
  TransformerFactoryConfigurer may help with that.
  Inspired by Issue #​264
  This is tracked as CVE-2024-31573.

• JAXPXPathEngine will now try to disable the execution of extension functions by default but uses
  XPathFactory#setProperty which is not available prior to Java 18. You may want to enable secure processing on an
  XPathFactory instance you pass to JAXPXPathEngine instead - and XPathFactoryConfigurer may help with that.

v2.9.1

Compare Source

• fixed some AssertJ tests that didn't work on Windows.
  Issue #​252 and PR
  #​253 by
  @​Boiarshinov

• added overloads to ElementSelectors.byXPath that accept a XPathEngine
  argument.
  Issue #​255

• added Cyclone DX SBOMs to release artifacts

v2.9.0

Compare Source

• added a new module xmlunit-jakarta-jaxb-impl that makes
  Input.fromJaxb use jakarta.xml.bind rather than
  javax.xml.bind. For more details see the User's
  Guide.

  This change is not fully backwards compatible. The JaxbBuilder
  class has become abstract and the withMarshaller method has
  changed its signature. For most cases the change will not be noticed
  and for almost all other cases it should be enough to re-compile
  your code against XMLUnit 2.9.x.

  Issue #​227 and PR
  #​247

• added NodeFilters#satisfiesAll and satifiesAny methods to make
  it easier to combine multiple node filters.
  added to simplify the use case of #​249

v2.8.4

Compare Source

• improved comparison performance for documents with many siblings
  based on a suggestion by @​gerpres made
  in #​236

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.