From 84aed566fc7258513ac26e2db6c6bd17e3067efb Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 30 Sep 2024 00:39:48 -0400 Subject: [PATCH 01/10] Modest changes to README.md after PR 853. --- README.md | 75 +++++++++++++++++++------------------------------------ 1 file changed, 26 insertions(+), 49 deletions(-) diff --git a/README.md b/README.md index 613a441f4..c793d99c2 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ specific Jakarta version of ESAPI, in Maven, you would specify your ESAPI depend org.owasp.esapi esapi - 2.5.4.0 + 2.5.5.0 jakarta ``` @@ -46,40 +46,6 @@ fact, without the ``` that's the version that will be used by default. -# Quickstart - Maven Example -### Step 1: Add the required maven dependencies. -```xml - - org.owasp.esapi - esapi - 2.5.3.0 [or later] - jakarta - - - - jakarta.servlet - jakarta.servlet-api - 6.1.0 - provided - -``` -### Step 2: Create 2 properties file namely: ESAPI.properties and validation.properties and add them to your classpath. You can refer to below for boilerplate configurations. -[ESAPI.properties](https://github.com/ESAPI/esapi-java-legacy/blob/develop/configuration/esapi/ESAPI.properties)
-[validation.properties](https://github.com/ESAPI/esapi-java-legacy/blob/develop/configuration/esapi/validation.properties) - -### Step 3: Let's say, you want to remediate log injection vulnerabilities. Below is an example to achieve it. -```code -import org.owasp.esapi.ESAPI; -import org.owasp.esapi.Logger; - -public class Example { - private static Logger LOGGER = ESAPI.getLogger(Example.class); - public void printLog(){ - LOGGER.info(Logger.EVENT_SUCCESS, "Log injection remediated !"); - } -} -``` -For more examples, please visit [https://owasp.org/www-project-enterprise-security-api/](https://owasp.org/www-project-enterprise-security-api/). # A word about ESAPI vulnerabilities A summary of all the vulnerabilities that we have written about in either the @@ -118,7 +84,7 @@ The ESAPI release notes may be found in ESAPI's "documentation" directory. They See the GitHub [Releases](https://github.com/ESAPI/esapi-java-legacy/releases) information for a list of releases which generally link to the specific release notes. -### Really IMPORTANT information in release notes +### Really IMPORTANT information in release notes - Ignore at your peril * Starting with ESAPI 2.2.1.0, important details changed reading the ESAPI Logger. If you have are getting things like ClassNotFoundException, you probably have not read it. Please be sure to read this specific section @@ -176,6 +142,30 @@ references in documentation). If you must, you still should be able to use Log4J 1.x logging via ESAPI SLF4J support. See the ESAPI 2.5.0.0 release notes for further details. +# Quickstart - Maven Example +### Step 1: Add the required dependencies. +See https://mvnrepository.com/artifact/org.owasp.esapi/esapi/latest, the tab for +whatever build tool you are using. If you need the Jakarta version, make sure to +add +```xml + jakarta +``` +and include whatever jakara.servlet:jakarta.servlet-api version you are using with +```xml + provided +``` +### Step 2: Obtain the 2 properties files ESAPI.properties and validation.properties +1. Download these 2 files from the ESAPI release that you are using from https://github.com/ESAPI/esapi-java-legacy/releases + and download the esapi--configuration.jar file (and the .asc file if you wish to confirm the GPG signature). +2. Unjar that configuration file that you just downloaded and find the 2 + properties files under the "configuration/esapi" subdirectory where you + unjarred the config jar. +3. Read through Javadoc for [DefaultSecurityConfiguration](https://javadoc.io/static/org.owasp.esapi/esapi/2.5.4.0/org/owasp/esapi/reference/DefaultSecurityConfiguration.html) + to understand the ways that ESAPI locates these files and then use the mechanism that works best for you. Copy the 2 properties + files from the 'configuration/esapi' directory to the directory where you + choose to have them reside. Note that you may also edit them to customize + them according to your needs. + # Contributing to ESAPI legacy ### How can I contribute or help with fix bugs? Fork and submit a pull request! Easy as pi! (How's that for an irrational @@ -250,19 +240,6 @@ discussion or even show us how it works with a PR. (Note that we vet all pull requests, including coding style of any contributions, so please use the same coding style found in the files you are already editing.) -# Ancient History -### What happened to Google code? -In mid-2014 ESAPI migrated all code and issues from Google Code to GitHub. This migration was completed in November 2014. - -### What about the issues still located on Google Code? -All issues from Google Code have been migrated to GitHub issues. We now -use GitHut Issues for reporting everything *except* security vulnerabilities. -Other bug tracking sites are undoubtedly more advanced, but as developers, -we do not want to spent time having to close issues from multiple bug-tracking -systems. Therefore, until the synchronization happens with the Atlassian Jira -instance that we have (but are not using; see GitHub issue #371), please -ONLY use GitHub Issues for reporting bugs. - # References: Where to Find More Information on ESAPI **OWASP Wiki:** https://owasp.org/www-project-enterprise-security-api/ From 807820e856a0962216375a9e3760b7b2adbbd7eb Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 30 Sep 2024 00:41:23 -0400 Subject: [PATCH 02/10] Update to lastest version of bcprov-jdk18on so Dependabot will stop complaining. Note that this is only used in a 'test' scope anyway and to the best of my knowlege, none of the test uses of any of the vulnerable Bouncy Castle methods. --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 661519330..6310cb4db 100644 --- a/pom.xml +++ b/pom.xml @@ -303,8 +303,8 @@ org.bouncycastle - bcprov-jdk15on - 1.70 + bcprov-jdk18on + 1.78.1 test From 08f52e7169ee55541eac5afda59761bc94c9b63e Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 30 Sep 2024 00:52:19 -0400 Subject: [PATCH 03/10] Initial commit for Markdown version of 'CONTRIBUTING-TO-ESAPI.txt'. --- CONTRIBUTING.md | 118 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 000000000..4c095cb35 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,118 @@ +# Contributing to ESAPI -- Details + +## Getting Started +If you have not already done so, go back and read the section +"[Contributing to ESAPI legacy](https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md#contributing-to-esapi-legacy)" in ESAPI's README.md file. It +may contain updates and advice not contained herein. + +### A Special Note on GitHub Authentication +GitHub has announced that they are deprecating password based authentication +using username / password and beginning 2021-08-13, you will no longer be +able to your password to authenticate to 'git' operations on GitHub.com. +Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ +for details and plan accordingly. + +### A Special Note Regarding Making Commits for PRs +Shortly after the 2.5.1.0 ESAPI release in late November 2022, the ESAPI +team decided to lock down the 'develop' amd 'main' branches. Merges from +PRs are done to the 'develop' branch. That means that if you intend to +contribute to ESAPI, you must be signing your commits. Please see the +GitHub instructions at + https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits +for details. + +### Git Branching Model +We are following the branching model described in + https://nvie.com/posts/a-successful-git-branching-model +If you are unfamiliar with it, you would be advised to give it a quick +perusal. The major point is that the 'main' (formerly 'master') branch is +reserved for official releases (which will be tagged), the 'develop' branch +is used for ongoing development work and is the default branch, and we +generally work off 'issue' branches named 'issue-#' where # is the GitHub +issue number. (The last is not an absolute requirement, but rather a +suggested approach.) + +Finally, we recommend setting the git property 'core.autocrlf' to 'input' +in your $HOME/.gitconfig file; e.g., that file should contain something +like this: + + [core] + autocrlf = input + + +### Required Software +We use Maven for building. Maven 3.6.3 or later is required. You also need +JDK 8 or later. [Note: If you use JDK 9 or later, there will be multiple +failures when you try to run 'mvn test' as well as some general warnings. +See [ESAPI GitHub issue #496](https://github.com/ESAPI/esapi-java-legacy/issues/496) for details. We welcome volunteers to address +this.] +## Finding Something Interesting to Work on + +See the section [Contributing to ESAPI Legacy](https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md#contributing-to-esapi-legacy) +in the ESAPI README for suggestions. While you don't *have* to work on something labeled "good first issue" +or "help wanted", those are good places to start for someone not yet familiar with the ESAPI code base. + +You will need a account on GitHub though. Once you create one, let us know +what it is. Then if you want to work on a particular issue, we can assign +it to you so someone else won't take it. + +If you have questions, email Kevin Wall (Kevin.W.Wall@gmail.com) or Matt +Seil (xeno6696@gmail.com). + + +## Building ESAPI +See our local GitHub wiki page, [Building ESAPI](https://github.com/ESAPI/esapi-java-legacy/wiki/Building-ESAPI), +which briefly discusses how to build ESAPI via Maven. + +You can also refer to [Using ESAPI for Java with Eclipse](https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-for-Java-with-Eclipse) +if you prefer working from IDEs. There is also a much older ESAPI wiki page, +[Building with Eclipse](https://www.owasp.org/index.php/ESAPI-BuildingWithEclipse) +that might be useful. + +As always, any contributions to ESAPI's admittedly skimpy documentation in this area is welcome. +In particular, contributing some hints about debugging applications using ESAPI +would be very useful to our ESAPI clients. + +## Steps to work with ESAPI +I usually do everything from the bash command prompt in Linux Mint, +but other people use Windows. If you prefer an IDE, I can't help you +much, but I can help with at least modest problems. If you have more +difficult problems, I will probably refer you to my project co-leader, +Matt who groks git a lot better than I. + +But the basic high level steps are: + +1. Fork https://github.com/ESAPI/esapi-java-legacy to your own GitHub repository using the GitHub web site. +2. On your local laptop, clone your own GitHub ESAPI repo (i.e, the forked repo created in previous step) +3. Create a new branch to work on an issue. I usually name the branch 'issue-#' where '#' is the GitHub issue # is will be working on, but you can call it whatever. E.g., + ```bash + $ git checkout -b issue-# + ``` +4. Work on the GitHub issue on this newly created issue-# branch. Be sure that you also create new JUnit tests as required that confirm that the issue is corrected, or if you are introducing new functionality, ensure + that functionality is sufficiently covered. +5. Make sure everything builds correctly and all the JUnit tests pass ('mvn test'). [Note: There are some known issues with test failures if your are running under Windows and your local ESAPI Git repo located anywhere other than the C: drive, where the test `ValidatorTest.testIsValidDirectoryPath()` fails. +6. If you have added any dependencies, please also run OWASP Dependency-Check and look at the generated report left in 'target/dependency-check-report.html' to make sure there were not any CVEs introduced. (Alternately you can run 'mvn verify' which will first run the tests and then run Dependency-Check.) Note if this is the first time you have run Dependency-Check for ESAPI, expect it to take a while (often 30 minutes or so!). To execute Dependency Check from Maven, run: + ```bash + $ mvn org.owasp:dependency-check-maven:check + ``` +7. Commit your changes locally. +8. Push your 'issue-#' branch to your personal, forked ESAPI GitHub repo. E.g., + ```bash + $ git checkout issue-444 + $ git remote -v | grep origin # Confirm 'origin' refers to YOUR PERSONAL GitHub repo + $ git push origin issue-444 # Push the committed changes on the 'issue-444' branch + ``` +9. Go to your personal, forked ESAPI GitHub repo (web interface) and create a 'Pull Request' (PR) from your 'issue-#' branch. +10. Back on your local personal laptop / desktop, merge your issue branch with your local 'develop' branch. I.e., + $ git checkout develop + $ git merge issue-444 +11. Do not remove your branch on your forked repository until your PR from your branch has been merged into the ESAPI/esapi-java/legacy 'develop' branch. + Note at least one the 3 main contributors on will review your commits before + merging them and they may do a formal code review and request further changes. + Once they are satisfied, they will merge your PR. + +In theory, you can do all this 'git' magic from Eclipse and presumably other +IDEs like Oracle NetBeans or JetBrains IntelliJ IDEA. From Eclipse, it is right-click +on the project and then select 'Team' to do the commits, etc. If you choose that +route, you're pretty much on your own because none of us use that for Git +interactions. From 865441e51b974b6791dc0f711c95971f831d22fd Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 30 Sep 2024 19:30:53 -0400 Subject: [PATCH 04/10] Update Maven plugins. --- pom.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index 6310cb4db..31a4e7379 100644 --- a/pom.xml +++ b/pom.xml @@ -132,11 +132,11 @@ UTF-8 1.37 2.0.0-M3 - 2.0.0-M9 + 2.0.0-M10 2.0.9 4.8.6 - 4.8.6.2 - 3.3.0 + 4.8.6.4 + 3.5.0 1.8 @@ -533,7 +533,7 @@ org.codehaus.mojo extra-enforcer-rules - 1.8.0 + 1.9.0 org.codehaus.mojo From 4ed69f3bc997fce6fb96b4dcb9d1c6b463e656d0 Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 30 Sep 2024 19:40:14 -0400 Subject: [PATCH 05/10] Set previous release date to 2024-05-30. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 31a4e7379..1da06d99f 100644 --- a/pom.xml +++ b/pom.xml @@ -141,7 +141,7 @@ - 2023-12-01 00:00:00 + 2024-05-30 00:00:00 From 53ecd8690525a6381691fa3e239ffa68c84395ec Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 30 Sep 2024 19:51:24 -0400 Subject: [PATCH 06/10] Fix Javadoc warning. --- .../java/org/owasp/esapi/logging/appender/LogPrefixAppender.java | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java b/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java index 57cddfa26..237d43ac6 100644 --- a/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java +++ b/src/main/java/org/owasp/esapi/logging/appender/LogPrefixAppender.java @@ -46,7 +46,6 @@ public class LogPrefixAppender implements LogAppender { * @param logServerIp Whether or not to record server ip information * @param logApplicationName Whether or not to record application name * @param appName Application Name to record. - * @param logPrefix is set by default to true */ @SuppressWarnings("JavadocReference") public LogPrefixAppender(boolean logUserInfo, boolean logClientInfo, boolean logServerIp, boolean logApplicationName, String appName) { From e74b77d43d26642744a0e05fa24b7ea8b7a4850c Mon Sep 17 00:00:00 2001 From: kwwall Date: Sat, 5 Oct 2024 10:20:26 -0400 Subject: [PATCH 07/10] Add helpful comments in ESAPI release preparation. --- scripts/README.txt | 3 +++ scripts/esapi4java-core-TEMPLATE-release-notes.txt | 2 ++ 2 files changed, 5 insertions(+) diff --git a/scripts/README.txt b/scripts/README.txt index 75735efd3..0e28bb29c 100644 --- a/scripts/README.txt +++ b/scripts/README.txt @@ -1,5 +1,8 @@ This directory is for utilities used for building / packaging / releasing ESAPI. +The scripts and configuration files in this directory are mostly used to create ESAPI release notes. +(The 2 'mvnQuietTest' scripts are the major exceptions to that.) + ======================== README.txt -- This readme file. diff --git a/scripts/esapi4java-core-TEMPLATE-release-notes.txt b/scripts/esapi4java-core-TEMPLATE-release-notes.txt index 280b85483..3aabe5d38 100644 --- a/scripts/esapi4java-core-TEMPLATE-release-notes.txt +++ b/scripts/esapi4java-core-TEMPLATE-release-notes.txt @@ -48,6 +48,8 @@ ESAPI ${PREV_VERSION} release: ESAPI ${VERSION} release: @@@@ Count them and run 'mvn test' to get the # of tests. +@@@@ Count Java source files by executing: +@@@@ find src/main -type f -name '*.java' | wc -l #### Java source files #### JUnit tests in #### Java source files From e2053d2d27788005423e082729e1d7c1fbad89e9 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sat, 5 Oct 2024 11:54:23 -0400 Subject: [PATCH 08/10] New release notes --- .../esapi4java-core-2.5.5.0-release-notes.txt | 199 ++++++++++++++++++ scripts/vars.2.5.5.0 | 14 ++ 2 files changed, 213 insertions(+) create mode 100644 documentation/esapi4java-core-2.5.5.0-release-notes.txt create mode 100644 scripts/vars.2.5.5.0 diff --git a/documentation/esapi4java-core-2.5.5.0-release-notes.txt b/documentation/esapi4java-core-2.5.5.0-release-notes.txt new file mode 100644 index 000000000..c03b522ce --- /dev/null +++ b/documentation/esapi4java-core-2.5.5.0-release-notes.txt @@ -0,0 +1,199 @@ +Release notes for ESAPI 2.5.5.0 + Release date: 2024-10-06 + Project leaders: + -Kevin W. Wall + -Matt Seil + +Previous release: ESAPI 2.5.4.0, 2024-05-30 + + +Executive Summary: Important Things to Note for this Release +------------------------------------------------------------ +This is a minor release. All changes should be backward compatible with the previous ESAPI version. +The updates cover the following areas: +* Updates to dependencies and Maven plugins. +* New logging feature added which should be useful in cloud environments where you are paying for log storage. + See GitHub issue https://github.com/ESAPI/esapi-java-legacy/issues/844 for details. +* Documentation clean-up. + +Notes if you are not updating from the immediate previous release. release 2.5.4.0: + * You need to read through the series of release notes FIRST, going in order. + * For example, if you were updating from an older ESAPI release (say, 2.3.0.0), you should go back and FIRST read all the subsequent release notes in turn. For instance, if you are currently on release 2.3.0.0 and upgrading to (say) release 2.x.y.z, you should MINIMALLY read the sections "Changes Requiring Special Attention" in each of the subsequent release notes. So, going from release 2.3.0.0 to 2.x.y.z, you should in turn, read: + + esapi4java-core-2.4.0.0-release-notes.txt + esapi4java-core-2.5.0.0-release-notes.txt + esapi4java-core-2.5.1.0-release-notes.txt + esapi4java-core-2.5.2.0-release-notes.txt + ...etc., up through the current set of release notes... + esapi4java-core-2.x.y.z-release-notes.txt + +in that order. YOU HAVE BEEN WARNED!!! (These release notes are too large to put all this in a given document; very few read them thoroughly as it is.) + +If your SCA tool is reporting any CVE from a direct or transitive dependency in ESAPI, before reporting it as an GitHub issue, please make sure that you review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md. Please email us or contact us in our GitHub Discussions page if you have questions about this. See also the SECURITY.md file to report any security issues with ESAPI. + +You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions. + + +================================================================================================================= + +Basic ESAPI facts +----------------- + +ESAPI 2.5.4.0 release: + 207 Java source files + 4297 JUnit tests in 131 Java source files (0 failures, 0 errors, 0 tests skipped) + +ESAPI 2.5.5.0 release: + 207 Java source files + 4315 JUnit tests in 133 Java source files (0 failures, 0 errors, 0 tests skipped) + +8 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive') +(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2024-05-30) + +Issue # GitHub Issue Title +---------------------------------------------------------------------------------------------- +844 Update the logging properties to opt-out of the prefix events Component-Logger enhancement +846 ESAPI.encoder().canonicalize() converts "&or" or similar strings without having trailing semicolon as logical operator +847 Update ESAPI pom to use latest version of AntiSamy (1.7.6) +851 Fix typos + + +----------------------------------------------------------------------------- + + Changes Requiring Special Attention + +----------------------------------------------------------------------------- + +Important JDK Support Announcement +* ESAPI 2.3.0.0 was the last Java release to support Java 7. ESAPI 2.4.0 requires using Java 8 or later. See the ESAPI 2.4.0.0 release notes (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt) for details as to the reason. + - This means if your project requires Java 7, you must use ESAPI 2.3.0.0 or earlier. + +Important ESAPI Logging Changes + +* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it haveing first been deprecated.) Thus, you only choice of ESAPI logging are + - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0. + * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file. + - SLF4J (which your choice of supported SLF4J logging implemmentation) + * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file. +* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at: + https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78 + +If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here: + https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x + +----------------------------------------------------------------------------- + + Remaining Known Issues / Problems + +----------------------------------------------------------------------------- +None known, other than the remaining open issues on GitHub. + +----------------------------------------------------------------------------- + + Other changes in this release, some of which not tracked via GitHub issues + +----------------------------------------------------------------------------- + +* Minor updates to README.md file with respect to version information. + +----------------------------------------------------------------------------- + +Developer Activity Report (Changes between release 2.5.4.0 and 2.5.5.0, i.e., between 2024-05-30 and 2024-10-06) +Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic. +Note: This only lists merged PRs, not those that were closed as rejected. + +Developer Total Total Number # Merged +(GitHub ID) commits of Files Changed PRs +============================================================ +DebajitKumarPhukan 7 1 1 +DarioViva42 57 44 1 +mickeyz07 10 12 1 +kwwall 2 2 1 +============================================================ + Total PRs: 4 + +----------------------------------------------------------------------------- + +CHANGELOG: Create your own. May I suggest: + + git log --stat --since=2024-05-30 --reverse --pretty=medium + + which will show all the commits since just after the previous (2.5.4.0) release. + + Alternately, you can download the most recent ESAPI source and run + + mvn site + + which will create a CHANGELOG file named 'target/site/changelog.html' + + +----------------------------------------------------------------------------- + +Direct and Transitive Runtime and Test Dependencies: + + $ mvn -B dependency:tree + [INFO] -----------------------< org.owasp.esapi:esapi >------------------------ + [INFO] Building ESAPI 2.5.5.0-SNAPSHOT + [INFO] --------------------------------[ jar ]--------------------------------- + [INFO] + [INFO] --- maven-dependency-plugin:3.7.1:tree (default-cli) @ esapi --- + [INFO] org.owasp.esapi:esapi:jar:2.5.5.0-SNAPSHOT + [INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided + [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided + [INFO] +- xom:xom:jar:1.3.9:compile + [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile + [INFO] | +- commons-logging:commons-logging:jar:1.2:compile + [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile + [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile + [INFO] +- commons-lang:commons-lang:jar:2.6:compile + [INFO] +- commons-fileupload:commons-fileupload:jar:1.5:compile + [INFO] +- org.apache.commons:commons-collections4:jar:4.5.0-M2:compile + [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile + [INFO] +- org.owasp.antisamy:antisamy:jar:1.7.6:compile + [INFO] | +- commons-io:commons-io:jar:2.16.1:compile + [INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.3.1:compile + [INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2.4:compile + [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.2.5:compile + [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.17:compile + [INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.17:compile + [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.17:compile + [INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.17:compile + [INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.17:compile + [INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.9:compile + [INFO] | +- org.htmlunit:neko-htmlunit:jar:4.3.0:compile + [INFO] | +- xerces:xercesImpl:jar:2.12.2:compile + [INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile + [INFO] +- org.slf4j:slf4j-api:jar:2.0.13:compile + [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile + [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.8.6:compile (optional) + [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional) + [INFO] +- commons-codec:commons-codec:jar:1.17.0:test + [INFO] +- junit:junit:jar:4.13.2:test + [INFO] +- org.bouncycastle:bcprov-jdk18on:jar:1.78.1:test + [INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test + [INFO] | \- org.hamcrest:hamcrest:jar:2.2:test + [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test + [INFO] | \- org.powermock:powermock-api-support:jar:2.0.9:test + [INFO] +- org.mockito:mockito-core:jar:3.12.4:test + [INFO] | +- net.bytebuddy:byte-buddy:jar:1.11.13:test + [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test + [INFO] | \- org.objenesis:objenesis:jar:3.2:test + [INFO] +- org.powermock:powermock-core:jar:2.0.9:test + [INFO] | \- org.javassist:javassist:jar:3.27.0-GA:test + [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test + [INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.9:test + [INFO] +- org.powermock:powermock-reflect:jar:2.0.9:test + [INFO] \- org.openjdk.jmh:jmh-core:jar:1.37:test + [INFO] +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test + [INFO] \- org.apache.commons:commons-math3:jar:3.6.1:test + [INFO] ------------------------------------------------------------------------ + +----------------------------------------------------------------------------- + +Acknowledgments: + A special shout-out to our new ESAPI contributors, mickeyz07, DarioViva42, and DebajitKumarPhukan. + Another hat tip to Dave Wichers and the AntiSamy crew for promptly releasing AntiSamy 1.7.0. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you. + +A special thanks to the ESAPI community from the ESAPI project co-leaders: + Kevin W. Wall (kwwall) <== The irresponsible party for these release notes! + Matt Seil (xeno6696) diff --git a/scripts/vars.2.5.5.0 b/scripts/vars.2.5.5.0 new file mode 100644 index 000000000..f64e62384 --- /dev/null +++ b/scripts/vars.2.5.5.0 @@ -0,0 +1,14 @@ +# Do NOT edit this file directly. It will be created by the new createVarsFile.sh script, +# which should be run prior to the newReleaseNotes.sh script. + +# ESAPI (new / current) version +VERSION=2.5.5.0 + +# Previous ESAPI version +PREV_VERSION=2.5.4.0 + +# Release date of current version in yyyy-mm-dd format +YYYY_MM_DD_RELEASE_DATE=2024-10-06 + +# Previous ESAPI release date in same format +PREV_RELEASE_DATE=2024-05-30 From 07775d7e7344846e334a190730a7d17056e5b516 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sun, 6 Oct 2024 18:57:00 -0400 Subject: [PATCH 09/10] Few more dependency and plugin upates; remove '-SNAPSHOT' suffix from release version. --- pom.xml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/pom.xml b/pom.xml index 1da06d99f..d8b63a31e 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 org.owasp.esapi esapi - 2.5.5.0-SNAPSHOT + 2.5.5.0 jar @@ -132,11 +132,11 @@ UTF-8 1.37 2.0.0-M3 - 2.0.0-M10 + 2.0.0-M11 2.0.9 4.8.6 4.8.6.4 - 3.5.0 + 3.5.1 1.8 @@ -260,7 +260,7 @@ org.slf4j slf4j-api - 2.0.13 + 2.0.16 xml-apis @@ -286,7 +286,7 @@ commons-codec commons-codec - 1.17.0 + 1.17.1 test @@ -408,17 +408,17 @@ org.apache.maven.plugins maven-dependency-plugin - 3.7.1 + 3.8.0 org.apache.maven.plugins maven-release-plugin - 3.1.0 + 3.1.1 org.codehaus.mojo versions-maven-plugin - 2.17.0 + 2.17.1 file:${project.basedir}/versionRuleset.xml @@ -431,7 +431,7 @@ org.cyclonedx cyclonedx-maven-plugin - 2.8.0 + 2.8.2 package @@ -513,7 +513,7 @@ org.apache.maven.plugins maven-deploy-plugin - 3.1.2 + 3.1.3 @@ -602,7 +602,7 @@ org.apache.maven.plugins maven-gpg-plugin - 3.2.4 + 3.2.7 sign-artifacts @@ -615,7 +615,7 @@ org.apache.maven.plugins maven-install-plugin - 3.1.2 + 3.1.3 @@ -635,7 +635,7 @@ org.apache.maven.plugins maven-javadoc-plugin - 3.7.0 + 3.10.1 8 none @@ -653,19 +653,19 @@ org.apache.maven.plugins maven-jxr-plugin - 3.4.0 + 3.5.0 org.apache.maven.plugins maven-pmd-plugin - 3.23.0 + 3.25.0 org.apache.maven.plugins maven-project-info-reports-plugin - 3.6.1 + 3.7.0 @@ -679,7 +679,7 @@ The skin is referenced in src/site/site.xml. --> org.apache.maven.plugins maven-site-plugin - 4.0.0-M15 + 4.0.0-M16 org.apache.maven.skins @@ -740,7 +740,7 @@ org.owasp dependency-check-maven - 10.0.2 + 10.0.4 ${env.NVD_API_KEY} 1.0 From a160de070ad02b5308ae27d2f3d638d92fd4c2d3 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sun, 6 Oct 2024 19:05:30 -0400 Subject: [PATCH 10/10] Update section on commit / PR history. --- documentation/esapi4java-core-2.5.5.0-release-notes.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/esapi4java-core-2.5.5.0-release-notes.txt b/documentation/esapi4java-core-2.5.5.0-release-notes.txt index c03b522ce..0be387f6b 100644 --- a/documentation/esapi4java-core-2.5.5.0-release-notes.txt +++ b/documentation/esapi4java-core-2.5.5.0-release-notes.txt @@ -108,9 +108,9 @@ Developer Total Total Number # Merged DebajitKumarPhukan 7 1 1 DarioViva42 57 44 1 mickeyz07 10 12 1 -kwwall 2 2 1 +kwwall 11 8 2 ============================================================ - Total PRs: 4 + Total PRs: 5 -----------------------------------------------------------------------------