Skip to content

Commit

Permalink
Pom updates to address issue #847 (#848)
Browse files Browse the repository at this point in the history 
* Close GitHub issue #847.
1. Update pom to latest version of compatible dependencies and plugins.
2. Remove commons-io:commons-io:2.15.1 previously needed for convergence as Commons FileUpload no longer requires it and AntiSamy 1.7.5 now uses 2.15.1. So we no longer need to explicitly load it for convergence to succeed.

* Minor documentation tweaks to esapi.tld.
  • Loading branch information
@kwwall
kwwall authored Jul 14, 2024
1 parent cb3839f commit b610633
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 37 deletions.
55 changes: 20 additions & 35 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,9 +134,9 @@
<version.findsecbugs>2.0.0-M3</version.findsecbugs>
<version.fluido>2.0.0-M9</version.fluido>
<version.powermock>2.0.9</version.powermock>
<version.spotbugs>4.8.5</version.spotbugs>
<version.spotbugs.maven>4.8.5.0</version.spotbugs.maven>
<version.surefire>3.2.5</version.surefire>
<version.spotbugs>4.8.6</version.spotbugs>
<version.spotbugs.maven>4.8.6.2</version.spotbugs.maven>
<version.surefire>3.3.0</version.surefire>
<project.java.target>1.8</project.java.target>
<!-- TODO: Be sure to update. Should be date of previous official release -->
<!-- Exact date in the form 'yyyy-dd-yy 00:00:00' should be used. You can find the previous release date -->
Expand Down Expand Up @@ -233,7 +233,7 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.5.0-M1</version>
<version>4.5.0-M2</version>
</dependency>
<dependency>
<groupId>org.apache-extras.beanshell</groupId>
Expand All @@ -243,7 +243,7 @@
<dependency>
<groupId>org.owasp.antisamy</groupId>
<artifactId>antisamy</artifactId>
<version>1.7.5</version>
<version>1.7.6</version>
<exclusions>
<!-- excluded because we directly import newer version below. -->
<exclusion>
Expand Down Expand Up @@ -274,21 +274,6 @@
<version>1.4.01</version>
</dependency>

<!--
FORCE SPECIFIC VERSIONS OF TRANSITIVE DEPENDENCIES EXCLUDED ABOVE.
This is to force patched versions of these libraries with known CVEs against them.
-->
<dependency>
<!-- We include this, because Commons File Upload still includes an
old one, but AntiSamy 1.7.4 includes a newer one (2.14.0), which causes the goal
org.apache.maven.plugins:maven-enforcer-plugin:3.3.0:enforce to fail
in DependencyConvergence.
-->
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.15.1</version>
</dependency>

<!-- SpotBugs dependencies -->
<dependency>
<groupId>com.github.spotbugs</groupId>
Expand Down Expand Up @@ -423,17 +408,17 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>3.6.1</version>
<version>3.7.1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
<version>3.0.1</version>
<version>3.1.0</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.16.2</version>
<version>2.17.0</version>
<configuration>
<rulesUri>file:${project.basedir}/versionRuleset.xml</rulesUri>
</configuration>
Expand Down Expand Up @@ -488,7 +473,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-clean-plugin</artifactId>
<version>3.3.2</version>
<version>3.4.0</version>
</plugin>

<plugin>
Expand Down Expand Up @@ -543,7 +528,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.4.1</version>
<version>3.5.0</version>
<dependencies>
<dependency>
<groupId>org.codehaus.mojo</groupId>
Expand All @@ -553,7 +538,7 @@
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>animal-sniffer-enforcer-rule</artifactId>
<version>1.23</version>
<version>1.24</version>
</dependency>
</dependencies>

Expand Down Expand Up @@ -636,7 +621,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>3.4.1</version>
<version>3.4.2</version>
<configuration>
<archive>
<manifest>
Expand All @@ -648,9 +633,9 @@
</plugin>

<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.6.3</version>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.7.0</version>
<configuration>
<source>8</source>
<doclint>none</doclint>
Expand All @@ -668,19 +653,19 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>3.3.2</version>
<version>3.4.0</version>
</plugin>

<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.22.0</version>
<version>3.23.0</version>
</plugin>

<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>3.5.0</version>
<version>3.6.1</version>
</plugin>

<plugin>
Expand All @@ -694,7 +679,7 @@
The skin is referenced in src/site/site.xml. -->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>4.0.0-M14</version>
<version>4.0.0-M15</version>
<dependencies>
<dependency>
<groupId>org.apache.maven.skins</groupId>
Expand Down Expand Up @@ -755,7 +740,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>9.2.0</version>
<version>10.0.2</version>
<configuration>
<nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
<failBuildOnCVSS>1.0</failBuildOnCVSS>
Expand Down
6 changes: 4 additions & 2 deletions src/main/resources/META-INF/esapi.tld
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
~ Enterprise Security API (ESAPI) project. For details, please see
~ <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
~
~ Copyright (c) 2007 - The OWASP Foundation
~ Copyright (c) 2007-2024 - The OWASP Foundation
~
~ The ESAPI is published by OWASP under the BSD license. You should read and accept the
~ LICENSE before you use, modify, and/or redistribute this software.
Expand All @@ -22,14 +22,16 @@
xsi:schemaLocation="
http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd"
version="2.0">
version="2.x">
<description>
OWASP Enterprise Security API (ESAPI) provides
a JSP Tag Library that supplies easy access to
encoding functionality in the form of JSP Tags and EL
functions. These can be used to properly escape user
supplied data at display time so that it cannot be used
in injection attacks like Cross Site Scripting (XSS).
This tag library applies to all of ESAPI 2.x versions. Its
interface hasn't changed since 2.0.
</description>
<display-name>OWASP ESAPI</display-name>
<tlib-version>2.0</tlib-version>
Expand Down

0 comments on commit b610633

Please sign in to comment.