[birt-dev] BIRT depends on org.apache.batik.css which has critical vulne

[Zheka Kozlov <orionllmain@xxxxxxxxx>]

Hello!

We develop an Eclipse RCP application which uses BIRT extensively. A few days ago our important customer reported that they cannot deploy our application on their computers because it was blocked by their IT security department. The problem is that it uses old org.apache.batik.css_1.7.0.v201011041433.jar that has a critical vulnerability: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Abatik&cpe_version=cpe%3A%2F%3Aapache%3Abatik%3A1.8.0

We cannot simply upgrade Apache Batik to 1.10+ because BIRT strictly depends on Batik 1.7.x (for example, see MANIFEST.MF in org.eclipse.birt.report.engine_4.8.0.v201806261756.jar).

Therefore I have a few questions:
1. Why does BIRT depend on old Batik? Is there a real reason for this? Are there some specific things that present only in old Batik that don't exist in the new version?

2. Are there any plans to upgrade the version of Batik?

3. Do you know a possible workaround for this issue? Any (evan very liitle) idea will be appreciated.

Thanks in advance!