Volker Voßkämper

There is already a new release adressing this issues.

Release notes - JasperStarter - Version 3.6.1 ** Bug * JAS-160 log4j 2.16.0 is vulnerable to CVE-2021-45105 Release notes - JasperStarter - Version 3.5.2-java7 ** Bug * JAS-160 log4j 2.16.0 is vulnerable to CVE-2021-45105

Release notes - JasperStarter - Version 3.6.0 ** Bug CVE-2019-17571 - Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. [JAS-158] Jasperstarter contains an old log4j-1.2.17 which is affected by CVE-2019-17571 [JAS-146] mvn: Could not resolve...

There are really few dependencies on git. In the ant script git is mainly used to get version/revision information for the build and to write this information into the manifest of the jar file of the icons.jar and into a textfile in the forms directory. You can just remove this lines or replace them with similar subversion commands. BR, Volker

Any comments or suggestions?

the following works for me: cd example jasperstarter pr CancelAck.jrxml -f html -t xml --xml-xpath /CancelResponse/CancelResult/ID --data-file CancelAck.xml

a snapshot build is available here: https://sourceforge.net/projects/jasperstarter/files/snapshots/

pushed new branch jas_98_add_to_classpath for testing...