Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release prep 2.5.5.0 #856

Merged
merged 10 commits into from
Oct 7, 2024
118 changes: 118 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,118 @@
# Contributing to ESAPI -- Details

## Getting Started
If you have not already done so, go back and read the section
"[Contributing to ESAPI legacy](https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md#contributing-to-esapi-legacy)" in ESAPI's README.md file. It
may contain updates and advice not contained herein.

### A Special Note on GitHub Authentication
GitHub has announced that they are deprecating password based authentication
using username / password and beginning 2021-08-13, you will no longer be
able to your password to authenticate to 'git' operations on GitHub.com.
Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/
for details and plan accordingly.

### A Special Note Regarding Making Commits for PRs
Shortly after the 2.5.1.0 ESAPI release in late November 2022, the ESAPI
team decided to lock down the 'develop' amd 'main' branches. Merges from
PRs are done to the 'develop' branch. That means that if you intend to
contribute to ESAPI, you must be signing your commits. Please see the
GitHub instructions at
https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits
for details.

### Git Branching Model
We are following the branching model described in
https://nvie.com/posts/a-successful-git-branching-model
If you are unfamiliar with it, you would be advised to give it a quick
perusal. The major point is that the 'main' (formerly 'master') branch is
reserved for official releases (which will be tagged), the 'develop' branch
is used for ongoing development work and is the default branch, and we
generally work off 'issue' branches named 'issue-#' where # is the GitHub
issue number. (The last is not an absolute requirement, but rather a
suggested approach.)

Finally, we recommend setting the git property 'core.autocrlf' to 'input'
in your $HOME/.gitconfig file; e.g., that file should contain something
like this:

[core]
autocrlf = input


### Required Software
We use Maven for building. Maven 3.6.3 or later is required. You also need
JDK 8 or later. [Note: If you use JDK 9 or later, there will be multiple
failures when you try to run 'mvn test' as well as some general warnings.
See [ESAPI GitHub issue #496](https://github.com/ESAPI/esapi-java-legacy/issues/496) for details. We welcome volunteers to address
this.]
## Finding Something Interesting to Work on

See the section [Contributing to ESAPI Legacy](https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md#contributing-to-esapi-legacy)
in the ESAPI README for suggestions. While you don't *have* to work on something labeled "good first issue"
or "help wanted", those are good places to start for someone not yet familiar with the ESAPI code base.

You will need a account on GitHub though. Once you create one, let us know
what it is. Then if you want to work on a particular issue, we can assign
it to you so someone else won't take it.

If you have questions, email Kevin Wall ([email protected]) or Matt
Seil ([email protected]).


## Building ESAPI
See our local GitHub wiki page, [Building ESAPI](https://github.com/ESAPI/esapi-java-legacy/wiki/Building-ESAPI),
which briefly discusses how to build ESAPI via Maven.

You can also refer to [Using ESAPI for Java with Eclipse](https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-for-Java-with-Eclipse)
if you prefer working from IDEs. There is also a much older ESAPI wiki page,
[Building with Eclipse](https://www.owasp.org/index.php/ESAPI-BuildingWithEclipse)
that might be useful.

As always, any contributions to ESAPI's admittedly skimpy documentation in this area is welcome.
In particular, contributing some hints about debugging applications using ESAPI
would be very useful to our ESAPI clients.

## Steps to work with ESAPI
I usually do everything from the bash command prompt in Linux Mint,
but other people use Windows. If you prefer an IDE, I can't help you
much, but I can help with at least modest problems. If you have more
difficult problems, I will probably refer you to my project co-leader,
Matt who groks git a lot better than I.

But the basic high level steps are:

1. Fork https://github.com/ESAPI/esapi-java-legacy to your own GitHub repository using the GitHub web site.
2. On your local laptop, clone your own GitHub ESAPI repo (i.e, the forked repo created in previous step)
3. Create a new branch to work on an issue. I usually name the branch 'issue-#' where '#' is the GitHub issue # is will be working on, but you can call it whatever. E.g.,
```bash
$ git checkout -b issue-#
```
4. Work on the GitHub issue on this newly created issue-# branch. Be sure that you also create new JUnit tests as required that confirm that the issue is corrected, or if you are introducing new functionality, ensure
that functionality is sufficiently covered.
5. Make sure everything builds correctly and all the JUnit tests pass ('mvn test'). [Note: There are some known issues with test failures if your are running under Windows and your local ESAPI Git repo located anywhere other than the C: drive, where the test `ValidatorTest.testIsValidDirectoryPath()` fails.
6. If you have added any dependencies, please also run OWASP Dependency-Check and look at the generated report left in 'target/dependency-check-report.html' to make sure there were not any CVEs introduced. (Alternately you can run 'mvn verify' which will first run the tests and then run Dependency-Check.) Note if this is the first time you have run Dependency-Check for ESAPI, expect it to take a while (often 30 minutes or so!). To execute Dependency Check from Maven, run:
```bash
$ mvn org.owasp:dependency-check-maven:check
```
7. Commit your changes locally.
8. Push your 'issue-#' branch to your personal, forked ESAPI GitHub repo. E.g.,
```bash
$ git checkout issue-444
$ git remote -v | grep origin # Confirm 'origin' refers to YOUR PERSONAL GitHub repo
$ git push origin issue-444 # Push the committed changes on the 'issue-444' branch
```
9. Go to your personal, forked ESAPI GitHub repo (web interface) and create a 'Pull Request' (PR) from your 'issue-#' branch.
10. Back on your local personal laptop / desktop, merge your issue branch with your local 'develop' branch. I.e.,
$ git checkout develop
$ git merge issue-444
11. Do not remove your branch on your forked repository until your PR from your branch has been merged into the ESAPI/esapi-java/legacy 'develop' branch.
Note at least one the 3 main contributors on will review your commits before
merging them and they may do a formal code review and request further changes.
Once they are satisfied, they will merge your PR.

In theory, you can do all this 'git' magic from Eclipse and presumably other
IDEs like Oracle NetBeans or JetBrains IntelliJ IDEA. From Eclipse, it is right-click
on the project and then select 'Team' to do the commits, etc. If you choose that
route, you're pretty much on your own because none of us use that for Git
interactions.
75 changes: 26 additions & 49 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ specific Jakarta version of ESAPI, in Maven, you would specify your ESAPI depend
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.5.4.0</version>
<version>2.5.5.0</version> <!-- Preferably the latest version, but > 2.5.3.0 -->
<classifier>jakarta</classifier>
</dependency>
```
Expand All @@ -46,40 +46,6 @@ fact, without the
```
that's the version that will be used by default.

# Quickstart - Maven Example
### Step 1: Add the required maven dependencies.
```xml
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.5.3.0 [or later]</version>
<classifier>jakarta</classifier>
</dependency>
<!-- Add the below dependency if the not using JakartaEE -->
<dependency>
<groupId>jakarta.servlet</groupId>
<artifactId>jakarta.servlet-api</artifactId>
<version>6.1.0</version>
<scope>provided</scope>
</dependency>
```
### Step 2: Create 2 properties file namely: ESAPI.properties and validation.properties and add them to your classpath. You can refer to below for boilerplate configurations.
[ESAPI.properties](https://github.com/ESAPI/esapi-java-legacy/blob/develop/configuration/esapi/ESAPI.properties) <br/>
[validation.properties](https://github.com/ESAPI/esapi-java-legacy/blob/develop/configuration/esapi/validation.properties)

### Step 3: Let's say, you want to remediate log injection vulnerabilities. Below is an example to achieve it.
```code
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.Logger;

public class Example {
private static Logger LOGGER = ESAPI.getLogger(Example.class);
public void printLog(){
LOGGER.info(Logger.EVENT_SUCCESS, "Log injection remediated !");
}
}
```
For more examples, please visit [https://owasp.org/www-project-enterprise-security-api/](https://owasp.org/www-project-enterprise-security-api/).

# A word about ESAPI vulnerabilities
A summary of all the vulnerabilities that we have written about in either the
Expand Down Expand Up @@ -118,7 +84,7 @@ The ESAPI release notes may be found in ESAPI's "documentation" directory. They
See the GitHub [Releases](https://github.com/ESAPI/esapi-java-legacy/releases) information for a list of releases which generally
link to the specific release notes.

### Really IMPORTANT information in release notes
### Really IMPORTANT information in release notes - Ignore at your peril
* Starting with ESAPI 2.2.1.0, important details changed reading the ESAPI
Logger. If you have are getting things like ClassNotFoundException, you
probably have not read it. Please be sure to read this specific section
Expand Down Expand Up @@ -176,6 +142,30 @@ references in documentation). If you must, you still should be able to
use Log4J 1.x logging via ESAPI SLF4J support. See the ESAPI 2.5.0.0 release
notes for further details.

# Quickstart - Maven Example
### Step 1: Add the required dependencies.
See https://mvnrepository.com/artifact/org.owasp.esapi/esapi/latest, the tab for
whatever build tool you are using. If you need the Jakarta version, make sure to
add
```xml
<classifier>jakarta</classifier>
```
and include whatever jakara.servlet:jakarta.servlet-api version you are using with
```xml
<scope>provided</scope>
```
### Step 2: Obtain the 2 properties files ESAPI.properties and validation.properties
1. Download these 2 files from the ESAPI release that you are using from https://github.com/ESAPI/esapi-java-legacy/releases
and download the esapi-<release>-configuration.jar file (and the .asc file if you wish to confirm the GPG signature).
2. Unjar that configuration file that you just downloaded and find the 2
properties files under the "configuration/esapi" subdirectory where you
unjarred the config jar.
3. Read through Javadoc for [DefaultSecurityConfiguration](https://javadoc.io/static/org.owasp.esapi/esapi/2.5.4.0/org/owasp/esapi/reference/DefaultSecurityConfiguration.html)
to understand the ways that ESAPI locates these files and then use the mechanism that works best for you. Copy the 2 properties
files from the 'configuration/esapi' directory to the directory where you
choose to have them reside. Note that you may also edit them to customize
them according to your needs.

# Contributing to ESAPI legacy
### How can I contribute or help with fix bugs?
Fork and submit a pull request! Easy as pi! (How's that for an irrational
Expand Down Expand Up @@ -250,19 +240,6 @@ discussion or even show us how it works with a PR. (Note that we vet all pull
requests, including coding style of any contributions, so please use the same
coding style found in the files you are already editing.)

# Ancient History
### What happened to Google code?
In mid-2014 ESAPI migrated all code and issues from Google Code to GitHub. This migration was completed in November 2014.

### What about the issues still located on Google Code?
All issues from Google Code have been migrated to GitHub issues. We now
use GitHut Issues for reporting everything *except* security vulnerabilities.
Other bug tracking sites are undoubtedly more advanced, but as developers,
we do not want to spent time having to close issues from multiple bug-tracking
systems. Therefore, until the synchronization happens with the Atlassian Jira
instance that we have (but are not using; see GitHub issue #371), please
ONLY use GitHub Issues for reporting bugs.

# References: Where to Find More Information on ESAPI
**OWASP Wiki:** https://owasp.org/www-project-enterprise-security-api/

Expand Down
Loading