fix(maven): Use unlimited JAXP XML processing with Java >= 24

sschuberth · sschuberth · commit 4cc2fbe2ed7d · 2026-06-02T19:59:28.000+02:00
In Java &gt;= 24, the default limit for processing XML entities was
significantly lowered to 100000 bytes to protect against Entity Expansion
/ Billion Laughs Denial of Service attacks. Repeal that limit in the
context of Tycho processing to avoid errors during analysis.

Signed-off-by: Sebastian Schuberth &lt;sebastian@doubleopen.io&gt;
diff --git a/plugins/package-managers/maven/src/main/kotlin/tycho/Tycho.kt b/plugins/package-managers/maven/src/main/kotlin/tycho/Tycho.kt
@@ -323,6 +323,9 @@ class Tycho(override val descriptor: PluginDescriptor = TychoFactory.descriptor)
             add("-DoutputFile=${dependencyTreeFile.absolutePath}")
             add("-DappendOutput=true")
             add("-Dverbose=true")
+            // Use pre-Java-24 unlimited JAXP XML processing.
+            add("-Djdk.xml.maxGeneralEntitySizeLimit=0")
+            add("-Djdk.xml.totalEntitySizeLimit=0")
         }.toTypedArray()
 }
 

Original file line number	Diff line number	Diff line change
`@@ -323,6 +323,9 @@ class Tycho(override val descriptor: PluginDescriptor = TychoFactory.descriptor)`
`323`	`323`	`add("-DoutputFile=${dependencyTreeFile.absolutePath}")`
`324`	`324`	`add("-DappendOutput=true")`
`325`	`325`	`add("-Dverbose=true")`
	`326`	`+ // Use pre-Java-24 unlimited JAXP XML processing.`
	`327`	`+ add("-Djdk.xml.maxGeneralEntitySizeLimit=0")`
	`328`	`+ add("-Djdk.xml.totalEntitySizeLimit=0")`
`326`	`329`	`}.toTypedArray()`
`327`	`330`	`}`
`328`	`331`