No, there's no such assessment available.
I'm not quite sure how one would go about such an assessment. Saxon is not trying to protect or prevent anything, so the risk of it failing to do so is nil. It's basically a language compiler - I don't know what is meant by the "security" of a compiler.
The only known security issue with Saxon has been the problem that can arise if you allow untrusted stylesheets to run in a sensitive environment: Code written in XSLT and XQuery is code like any other, and if you don't trust code then you shouldn't run it. Sounds too obvious to me to be classed as a "vulnerability", but it's a mistake people have made, so it's worth pointing out.


Michael Kay

From: Brian Newman []
Sent: 16 October 2009 15:49
Subject: [saxon] Security

I’m developing an XSL based solution for the US Navy whose data needs to be held secure.

I’ve not been able to find any information on Saxonica regarding what it’s security vulnerabilities are (security vulnerabilities of the processor, not XSL in general).  Basically, I need some sort of security profile info that I can hand to my boss so he can make a determination as to whether we can use Saxonica.

Is that information available somewhere?


Brian Newman CISSP

Software Engineer

Network Security Systems Plus, Inc.

5205 Leesburg Pike, Suite 1502

Falls Church, Virginia 22041