-
Notifications
You must be signed in to change notification settings - Fork 364
/
esapi4java-core-2.6.0.0-release-notes.txt
192 lines (146 loc) · 11.6 KB
/
esapi4java-core-2.6.0.0-release-notes.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
Release notes for ESAPI 2.6.0.0
Release date: 2024-11-25
Project leaders:
-Kevin W. Wall <[email protected]>
-Matt Seil <[email protected]>
Previous release: ESAPI 2.5.5.0, 2024-10-08
Executive Summary: Important Things to Note for this Release
------------------------------------------------------------
This ESAPI release removes the Validator.isValidSafeHTML methods and references to it from ESAPI code. We will NOT be replacing it. This is to fulfill GitHub Security Advisory https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm and GitHub issue #859.
ESAPI was also updated to use the latest version of AntiSamy, 1.7.7.
Notes if you are not updating from the immediate previous release. release 2.5.5.0:
* You need to read through the series of release notes FIRST, going in order.
* For example, if you were updating from an older ESAPI release (say, 2.3.0.0), you should go back and FIRST read all the subsequent release notes in turn. For instance, if you are currently on release 2.3.0.0 and upgrading to (say) release 2.x.y.z, you should MINIMALLY read the sections "Changes Requiring Special Attention" in each of the subsequent release notes. So, going from release 2.3.0.0 to 2.x.y.z, you should in turn, read:
esapi4java-core-2.4.0.0-release-notes.txt
esapi4java-core-2.5.0.0-release-notes.txt
esapi4java-core-2.5.1.0-release-notes.txt
esapi4java-core-2.5.2.0-release-notes.txt
...etc., up through the current set of release notes...
esapi4java-core-2.x.y.z-release-notes.txt
in that order. YOU HAVE BEEN WARNED!!! (These release notes are too large to put all this in a given document; very few read them thoroughly as it is.)
If your SCA tool is reporting any CVE from a direct or transitive dependency in ESAPI, before reporting it as an GitHub issue, please make sure that you review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md. Please email us or contact us in our GitHub Discussions page if you have questions about this. See also the SECURITY.md file to report any security issues with ESAPI.
You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions.
=================================================================================================================
Basic ESAPI facts
-----------------
ESAPI 2.5.5.0 release:
207 Java source files
4297 JUnit tests in 131 Java test files
ESAPI 2.6.0.0 release:
207 Java source files
4312 JUnit tests in 133 Java source files
2 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive').
(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2024-10-08)
Issue # GitHub Issue Title
----------------------------------------------------------------------------------------------
204 DefalutValidator.isValidSafeHTML() doesn't work (wontfix)
859 Remove deprecated Validator.isValidSafeHTML methods
-----------------------------------------------------------------------------
Changes Requiring Special Attention
-----------------------------------------------------------------------------
Breaking Change - deprecated methods removed
* As of 2.6.0.0, the methods Validator.isValidSafeHTML are deleted. We won't be bring them back. See https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-r68h-jhhj-9jvm and the associated Security Bulletin for details.
Important JDK Support Announcement
* ESAPI 2.3.0.0 was the last Java release to support Java 7. ESAPI 2.4.0 requires using Java 8 or later. See the ESAPI 2.4.0.0 release notes (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt) for details as to the reason.
- This means if your project requires Java 7, you must use ESAPI 2.3.0.0 or earlier.
Important ESAPI Logging Changes
* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it haveing first been deprecated.) Thus, you only choice of ESAPI logging are
- java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0.
* Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file.
- SLF4J (which your choice of supported SLF4J logging implemmentation)
* Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file.
* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78
If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here:
https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x
-----------------------------------------------------------------------------
Remaining Known Issues / Problems
-----------------------------------------------------------------------------
None known, other than the remaining open issues on GitHub.
-----------------------------------------------------------------------------
Other changes in this release, some of which not tracked via GitHub issues
-----------------------------------------------------------------------------
* Minor updates to README.md file with respect to version information.
-----------------------------------------------------------------------------
Developer Activity Report (Changes between release 2.5.5.0 and 2.6.0.0, i.e., between 2024-10-08 and 2024-11-25)
Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic.
Figures do not include rejected PRs.
Developer Total Total Number # Merged
(GitHub ID) commits of Files Changed PRs
========================================================
kwwall 15 13 1
========================================================
Total PRs: 1
-----------------------------------------------------------------------------
CHANGELOG: Create your own. May I suggest:
git log --stat --since=2024-10-08 --reverse --pretty=medium
which will show all the commits since just after the previous (2.5.5.0) release.
Alternately, you can download the most recent ESAPI source and run
mvn site
which will create a CHANGELOG file named 'target/site/changelog.html'
-----------------------------------------------------------------------------
Direct and Transitive Runtime and Test Dependencies:
$ mvn -B dependency:tree
...
[INFO] --- maven-dependency-plugin:3.8.0:tree (default-cli) @ esapi ---
[INFO] org.owasp.esapi:esapi:jar:2.6.0.0-SNAPSHOT
[INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided
[INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided
[INFO] +- xom:xom:jar:1.3.9:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- commons-configuration:commons-configuration:jar:1.10:compile
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] +- commons-fileupload:commons-fileupload:jar:1.5:compile
[INFO] +- org.apache.commons:commons-collections4:jar:4.5.0-M2:compile
[INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile
[INFO] +- org.owasp.antisamy:antisamy:jar:1.7.7:compile
[INFO] | +- commons-io:commons-io:jar:2.18.0:compile
[INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.4.1:compile
[INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.3.1:compile
[INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.3.1:compile
[INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.18:compile
[INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.18:compile
[INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.18:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.18:compile
[INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.18:compile
[INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.10:compile
[INFO] | +- org.htmlunit:neko-htmlunit:jar:4.6.0:compile
[INFO] | +- xerces:xercesImpl:jar:2.12.2:compile
[INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] +- org.slf4j:slf4j-api:jar:2.0.16:compile
[INFO] +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.8.6:compile (optional)
[INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional)
[INFO] +- commons-codec:commons-codec:jar:1.17.1:test
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] +- org.bouncycastle:bcprov-jdk18on:jar:1.78.1:test
[INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test
[INFO] | \- org.hamcrest:hamcrest:jar:2.2:test
[INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test
[INFO] | \- org.powermock:powermock-api-support:jar:2.0.9:test
[INFO] +- org.mockito:mockito-core:jar:3.12.4:test
[INFO] | +- net.bytebuddy:byte-buddy:jar:1.11.13:test
[INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test
[INFO] | \- org.objenesis:objenesis:jar:3.2:test
[INFO] +- org.powermock:powermock-core:jar:2.0.9:test
[INFO] | \- org.javassist:javassist:jar:3.27.0-GA:test
[INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test
[INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.9:test
[INFO] +- org.powermock:powermock-reflect:jar:2.0.9:test
[INFO] \- org.openjdk.jmh:jmh-core:jar:1.37:test
[INFO] +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test
[INFO] \- org.apache.commons:commons-math3:jar:3.6.1:test
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 0.884 s
[INFO] Finished at: 2024-11-25T15:35:40-05:00
[INFO] ------------------------------------------------------------------------
-----------------------------------------------------------------------------
Acknowledgments:
Another hat tip to Dave Wichers and the AntiSamy crew for promptly releasing AntiSamy 1.7.7. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you.
A special thanks to the ESAPI community from the ESAPI project co-leaders:
Kevin W. Wall (kwwall) <== The irresponsible party for these release notes!
Matt Seil (xeno6696)