-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release prep 2.5.5.0 #856
Merged
Merged
Release prep 2.5.5.0 #856
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
84aed56
Modest changes to README.md after PR 853.
kwwall 807820e
Update to lastest version of bcprov-jdk18on so Dependabot will stop c…
kwwall 08f52e7
Initial commit for Markdown version of 'CONTRIBUTING-TO-ESAPI.txt'.
kwwall 865441e
Update Maven plugins.
kwwall 4ed69f3
Set previous release date to 2024-05-30.
kwwall 53ecd86
Fix Javadoc warning.
kwwall e74b77d
Add helpful comments in ESAPI release preparation.
kwwall e2053d2
New release notes
kwwall 07775d7
Few more dependency and plugin upates; remove '-SNAPSHOT' suffix from…
kwwall a160de0
Update section on commit / PR history.
kwwall File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
199 changes: 199 additions & 0 deletions
199
documentation/esapi4java-core-2.5.5.0-release-notes.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,199 @@ | ||
| Release notes for ESAPI 2.5.5.0 | ||
| Release date: 2024-10-06 | ||
| Project leaders: | ||
| -Kevin W. Wall <[email protected]> | ||
| -Matt Seil <[email protected]> | ||
|
|
||
| Previous release: ESAPI 2.5.4.0, 2024-05-30 | ||
|
|
||
|
|
||
| Executive Summary: Important Things to Note for this Release | ||
| ------------------------------------------------------------ | ||
| This is a minor release. All changes should be backward compatible with the previous ESAPI version. | ||
| The updates cover the following areas: | ||
| * Updates to dependencies and Maven plugins. | ||
| * New logging feature added which should be useful in cloud environments where you are paying for log storage. | ||
| See GitHub issue https://github.com/ESAPI/esapi-java-legacy/issues/844 for details. | ||
| * Documentation clean-up. | ||
|
|
||
| Notes if you are not updating from the immediate previous release. release 2.5.4.0: | ||
| * You need to read through the series of release notes FIRST, going in order. | ||
| * For example, if you were updating from an older ESAPI release (say, 2.3.0.0), you should go back and FIRST read all the subsequent release notes in turn. For instance, if you are currently on release 2.3.0.0 and upgrading to (say) release 2.x.y.z, you should MINIMALLY read the sections "Changes Requiring Special Attention" in each of the subsequent release notes. So, going from release 2.3.0.0 to 2.x.y.z, you should in turn, read: | ||
|
|
||
| esapi4java-core-2.4.0.0-release-notes.txt | ||
| esapi4java-core-2.5.0.0-release-notes.txt | ||
| esapi4java-core-2.5.1.0-release-notes.txt | ||
| esapi4java-core-2.5.2.0-release-notes.txt | ||
| ...etc., up through the current set of release notes... | ||
| esapi4java-core-2.x.y.z-release-notes.txt | ||
|
|
||
| in that order. YOU HAVE BEEN WARNED!!! (These release notes are too large to put all this in a given document; very few read them thoroughly as it is.) | ||
|
|
||
| If your SCA tool is reporting any CVE from a direct or transitive dependency in ESAPI, before reporting it as an GitHub issue, please make sure that you review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md. Please email us or contact us in our GitHub Discussions page if you have questions about this. See also the SECURITY.md file to report any security issues with ESAPI. | ||
|
|
||
| You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions. | ||
|
|
||
|
|
||
| ================================================================================================================= | ||
|
|
||
| Basic ESAPI facts | ||
| ----------------- | ||
|
|
||
| ESAPI 2.5.4.0 release: | ||
| 207 Java source files | ||
| 4297 JUnit tests in 131 Java source files (0 failures, 0 errors, 0 tests skipped) | ||
|
|
||
| ESAPI 2.5.5.0 release: | ||
| 207 Java source files | ||
| 4315 JUnit tests in 133 Java source files (0 failures, 0 errors, 0 tests skipped) | ||
|
|
||
| 8 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive') | ||
| (Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2024-05-30) | ||
|
|
||
| Issue # GitHub Issue Title | ||
| ---------------------------------------------------------------------------------------------- | ||
| 844 Update the logging properties to opt-out of the prefix events Component-Logger enhancement | ||
| 846 ESAPI.encoder().canonicalize() converts "&or" or similar strings without having trailing semicolon as logical operator | ||
| 847 Update ESAPI pom to use latest version of AntiSamy (1.7.6) | ||
| 851 Fix typos | ||
|
|
||
|
|
||
| ----------------------------------------------------------------------------- | ||
|
|
||
| Changes Requiring Special Attention | ||
|
|
||
| ----------------------------------------------------------------------------- | ||
|
|
||
| Important JDK Support Announcement | ||
| * ESAPI 2.3.0.0 was the last Java release to support Java 7. ESAPI 2.4.0 requires using Java 8 or later. See the ESAPI 2.4.0.0 release notes (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt) for details as to the reason. | ||
| - This means if your project requires Java 7, you must use ESAPI 2.3.0.0 or earlier. | ||
|
|
||
| Important ESAPI Logging Changes | ||
|
|
||
| * Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it haveing first been deprecated.) Thus, you only choice of ESAPI logging are | ||
| - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0. | ||
| * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file. | ||
| - SLF4J (which your choice of supported SLF4J logging implemmentation) | ||
| * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file. | ||
| * Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at: | ||
| https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78 | ||
|
|
||
| If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here: | ||
| https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x | ||
|
|
||
| ----------------------------------------------------------------------------- | ||
|
|
||
| Remaining Known Issues / Problems | ||
|
|
||
| ----------------------------------------------------------------------------- | ||
| None known, other than the remaining open issues on GitHub. | ||
|
|
||
| ----------------------------------------------------------------------------- | ||
|
|
||
| Other changes in this release, some of which not tracked via GitHub issues | ||
|
|
||
| ----------------------------------------------------------------------------- | ||
|
|
||
| * Minor updates to README.md file with respect to version information. | ||
|
|
||
| ----------------------------------------------------------------------------- | ||
|
|
||
| Developer Activity Report (Changes between release 2.5.4.0 and 2.5.5.0, i.e., between 2024-05-30 and 2024-10-06) | ||
| Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic. | ||
| Note: This only lists merged PRs, not those that were closed as rejected. | ||
|
|
||
| Developer Total Total Number # Merged | ||
| (GitHub ID) commits of Files Changed PRs | ||
| ============================================================ | ||
| DebajitKumarPhukan 7 1 1 | ||
| DarioViva42 57 44 1 | ||
| mickeyz07 10 12 1 | ||
| kwwall 2 2 1 | ||
| ============================================================ | ||
| Total PRs: 4 | ||
|
|
||
| ----------------------------------------------------------------------------- | ||
|
|
||
| CHANGELOG: Create your own. May I suggest: | ||
|
|
||
| git log --stat --since=2024-05-30 --reverse --pretty=medium | ||
|
|
||
| which will show all the commits since just after the previous (2.5.4.0) release. | ||
|
|
||
| Alternately, you can download the most recent ESAPI source and run | ||
|
|
||
| mvn site | ||
|
|
||
| which will create a CHANGELOG file named 'target/site/changelog.html' | ||
|
|
||
|
|
||
| ----------------------------------------------------------------------------- | ||
|
|
||
| Direct and Transitive Runtime and Test Dependencies: | ||
|
|
||
| $ mvn -B dependency:tree | ||
| [INFO] -----------------------< org.owasp.esapi:esapi >------------------------ | ||
| [INFO] Building ESAPI 2.5.5.0-SNAPSHOT | ||
| [INFO] --------------------------------[ jar ]--------------------------------- | ||
| [INFO] | ||
| [INFO] --- maven-dependency-plugin:3.7.1:tree (default-cli) @ esapi --- | ||
| [INFO] org.owasp.esapi:esapi:jar:2.5.5.0-SNAPSHOT | ||
| [INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided | ||
| [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided | ||
| [INFO] +- xom:xom:jar:1.3.9:compile | ||
| [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile | ||
| [INFO] | +- commons-logging:commons-logging:jar:1.2:compile | ||
| [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile | ||
| [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile | ||
| [INFO] +- commons-lang:commons-lang:jar:2.6:compile | ||
| [INFO] +- commons-fileupload:commons-fileupload:jar:1.5:compile | ||
| [INFO] +- org.apache.commons:commons-collections4:jar:4.5.0-M2:compile | ||
| [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile | ||
| [INFO] +- org.owasp.antisamy:antisamy:jar:1.7.6:compile | ||
| [INFO] | +- commons-io:commons-io:jar:2.16.1:compile | ||
| [INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.3.1:compile | ||
| [INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2.4:compile | ||
| [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.2.5:compile | ||
| [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.17:compile | ||
| [INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.17:compile | ||
| [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.17:compile | ||
| [INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.17:compile | ||
| [INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.17:compile | ||
| [INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.9:compile | ||
| [INFO] | +- org.htmlunit:neko-htmlunit:jar:4.3.0:compile | ||
| [INFO] | +- xerces:xercesImpl:jar:2.12.2:compile | ||
| [INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile | ||
| [INFO] +- org.slf4j:slf4j-api:jar:2.0.13:compile | ||
| [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile | ||
| [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.8.6:compile (optional) | ||
| [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional) | ||
| [INFO] +- commons-codec:commons-codec:jar:1.17.0:test | ||
| [INFO] +- junit:junit:jar:4.13.2:test | ||
| [INFO] +- org.bouncycastle:bcprov-jdk18on:jar:1.78.1:test | ||
| [INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test | ||
| [INFO] | \- org.hamcrest:hamcrest:jar:2.2:test | ||
| [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test | ||
| [INFO] | \- org.powermock:powermock-api-support:jar:2.0.9:test | ||
| [INFO] +- org.mockito:mockito-core:jar:3.12.4:test | ||
| [INFO] | +- net.bytebuddy:byte-buddy:jar:1.11.13:test | ||
| [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test | ||
| [INFO] | \- org.objenesis:objenesis:jar:3.2:test | ||
| [INFO] +- org.powermock:powermock-core:jar:2.0.9:test | ||
| [INFO] | \- org.javassist:javassist:jar:3.27.0-GA:test | ||
| [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test | ||
| [INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.9:test | ||
| [INFO] +- org.powermock:powermock-reflect:jar:2.0.9:test | ||
| [INFO] \- org.openjdk.jmh:jmh-core:jar:1.37:test | ||
| [INFO] +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test | ||
| [INFO] \- org.apache.commons:commons-math3:jar:3.6.1:test | ||
| [INFO] ------------------------------------------------------------------------ | ||
|
|
||
| ----------------------------------------------------------------------------- | ||
|
|
||
| Acknowledgments: | ||
| A special shout-out to our new ESAPI contributors, mickeyz07, DarioViva42, and DebajitKumarPhukan. | ||
| Another hat tip to Dave Wichers and the AntiSamy crew for promptly releasing AntiSamy 1.7.0. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you. | ||
|
|
||
| A special thanks to the ESAPI community from the ESAPI project co-leaders: | ||
| Kevin W. Wall (kwwall) <== The irresponsible party for these release notes! | ||
| Matt Seil (xeno6696) | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| # Do NOT edit this file directly. It will be created by the new createVarsFile.sh script, | ||
| # which should be run prior to the newReleaseNotes.sh script. | ||
|
|
||
| # ESAPI (new / current) version | ||
| VERSION=2.5.5.0 | ||
|
|
||
| # Previous ESAPI version | ||
| PREV_VERSION=2.5.4.0 | ||
|
|
||
| # Release date of current version in yyyy-mm-dd format | ||
| YYYY_MM_DD_RELEASE_DATE=2024-10-06 | ||
|
|
||
| # Previous ESAPI release date in same format | ||
| PREV_RELEASE_DATE=2024-05-30 |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ROFL