|
| 1 | +Release notes for ESAPI 2.5.1.0 |
| 2 | + Release date: 2022-11-27 |
| 3 | + Project leaders: |
| 4 | + -Kevin W. Wall < [email protected]> |
| 5 | + |
| 6 | + |
| 7 | +Previous release: ESAPI 2.5.0.0, 2022-07-20 |
| 8 | + |
| 9 | + |
| 10 | +Executive Summary: Important Things to Note for this Release |
| 11 | +------------------------------------------------------------ |
| 12 | +This is a patch release with the primary intent of updating some dependencies, some which addressed known vulnerabilities in these dependencies, but which we do not believe were exploitable via ESAPI. The major updates are: |
| 13 | + * Updates to latest versions of direct dependencies, including: |
| 14 | + - An update to AntiSamy: 1.7.0 --> 1.7.2 |
| 15 | + - An update to SLFJ4 API: 1.7.36 --> 2.0.4 (Note: 2.0.5 is available and likely would would result in "convergence" issues with the version AntiSamy 1.7.2 pulls in) |
| 16 | + * A new codec (org.owasp.esapi.codecs.JSONCodec) is provided that provides JSON output encoding as per section 7 of RFC 8259. It is made available via Encoder.encodeForJSON(). (Note unlike other encoders, there is no corresponding decoder (i.e., decodeForJSON()) made available. Since that would normally be done by your JavaScript code, it wasn't deemed essential. |
| 17 | + |
| 18 | +For those of you using a Software Configuration Analysis (SCA) services such as Snyk, BlackDuck, Veracode SourceClear, OWASP Dependency Check, etc., you will notice that the 4 Log4J 1.x related CVEs are no longer flagged. This is because we have finally removed the Log4J 1.2.17 dependency in ESAPI 2.5.0.0. |
| 19 | + |
| 20 | +Any remaining flagged vulnerabilities (e.g., CVE-2020-7791 for transitive dependency batik-i18n-1.14) are believed to be false postives. |
| 21 | + |
| 22 | +You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions. |
| 23 | + |
| 24 | + |
| 25 | +================================================================================================================= |
| 26 | + |
| 27 | +Basic ESAPI facts |
| 28 | +----------------- |
| 29 | + |
| 30 | +ESAPI 2.5.0.0 release: |
| 31 | + 206 Java source files |
| 32 | + 4274 JUnit tests in 131 Java source files (0 tests skipped) |
| 33 | + |
| 34 | +ESAPI 2.5.1.0 release: |
| 35 | + 207 Java source files |
| 36 | + 4292 JUnit tests in 131 Java source files (0 tests skipped) |
| 37 | + |
| 38 | +15 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive'). |
| 39 | +(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2022-07-20) |
| 40 | + |
| 41 | +Issue # GitHub Issue Title |
| 42 | +---------------------------------------------------------------------------------------------- |
| 43 | +757 again .. [falsepositive] |
| 44 | +755 Upgrade batik-css-1.14 because of vulnerability |
| 45 | +754 JSON encoder |
| 46 | +749 Error in initializing org.owasp.esapi.logging.java.JavaLogFactory. [Converted to discussion #750.] |
| 47 | +747 Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception [Converted to discussion #751] |
| 48 | +743 Indirect dependency to vulnerable Xerces, CVE-2017-10355 [falsepositive, wontfix] |
| 49 | +740 Update SLF4J log bridge to allow NULL EventTypes |
| 50 | +735 Improve ConfigurationException message thrown from EsapiPropertyLoaderFactory.createPropertyLoader() |
| 51 | +734 Change skin for mvn site report to use fluido Build-Maven |
| 52 | +733 Executing 'mvn site' does not produce tag documentation |
| 53 | +727 ESAPI - Not working with Eclipse [falsepositive, wontfix] |
| 54 | +710 JavaLogFactory configuration should not override custom java LogManager configuration |
| 55 | +610 Add Deprecation Logging content for Log4JLogFactory Usage |
| 56 | +527 Configuration flag for disabling Logger User and App Information [falsepositive] |
| 57 | +433 Class Cast Exception when trying to run JUnit Tests [question, wontfix] |
| 58 | + |
| 59 | +----------------------------------------------------------------------------- |
| 60 | + |
| 61 | + Changes Requiring Special Attention |
| 62 | + |
| 63 | +----------------------------------------------------------------------------- |
| 64 | + |
| 65 | +Important JDK Support Announcement |
| 66 | +* ESAPI 2.3.0.0 was the last Java release to support Java 7. ESAPI 2.4.0 requires using Java 8 or later. See the ESAPI 2.4.0.0 release notes (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt) for details as to the reason. |
| 67 | + - This means if your project requires Java 7, you must use ESAPI 2.3.0.0 or earlier. |
| 68 | + |
| 69 | +Important ESAPI Logging Changes |
| 70 | + |
| 71 | +* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it haveing first been deprecated.) Thus, you only choice of ESAPI logging are |
| 72 | + - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0. |
| 73 | + * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file. |
| 74 | + - SLF4J (which your choice of supported SLF4J logging implemmentation) |
| 75 | + * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file. |
| 76 | +* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at: |
| 77 | + https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78 |
| 78 | + |
| 79 | +If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here: |
| 80 | + https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x |
| 81 | + |
| 82 | +----------------------------------------------------------------------------- |
| 83 | + |
| 84 | + Remaining Known Issues / Problems |
| 85 | + |
| 86 | +----------------------------------------------------------------------------- |
| 87 | +None known, other than the remaining open issues on GitHub. |
| 88 | + |
| 89 | +----------------------------------------------------------------------------- |
| 90 | + |
| 91 | + Other changes in this release, some of which not tracked via GitHub issues |
| 92 | + |
| 93 | +----------------------------------------------------------------------------- |
| 94 | + |
| 95 | +* Minor updates to README.md file with respect to version information. |
| 96 | + |
| 97 | +----------------------------------------------------------------------------- |
| 98 | + |
| 99 | +Developer Activity Report (Changes between release 2.5.0.0 and 2.5.1.0, i.e., between 2022-07-20 and 2022-11-27) |
| 100 | +Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic. |
| 101 | + |
| 102 | +@@@@ |
| 103 | +@@@@ This section needs to be manually updated. |
| 104 | +@@@@ |
| 105 | +Developer Total Total Number # Merged |
| 106 | +(GitHub ID) commits of Files Changed PRs |
| 107 | +======================================================== |
| 108 | +jeremiahjstacey 10 10 3 |
| 109 | +noloader 4 316 4 |
| 110 | +Jeff-Walker 2 3 1 |
| 111 | +HenriquePinto333 2 1 1 |
| 112 | +davewichers 2 3 1 |
| 113 | +xeno6696 31 6 1 |
| 114 | +kwwall 1 1 0 |
| 115 | +======================================================== |
| 116 | + Total Merged PRs: 11 |
| 117 | + |
| 118 | +----------------------------------------------------------------------------- |
| 119 | + |
| 120 | +CHANGELOG: Create your own. May I suggest: |
| 121 | + |
| 122 | + git log --stat --since=2022-07-20 --reverse --pretty=medium |
| 123 | + |
| 124 | + which will show all the commits since just after the previous (2.5.0.0) release. |
| 125 | + |
| 126 | + Alternately, you can download the most recent ESAPI source and run |
| 127 | + |
| 128 | + mvn site |
| 129 | + |
| 130 | + which will create a CHANGELOG file named 'target/site/changelog.html' |
| 131 | + |
| 132 | + |
| 133 | +----------------------------------------------------------------------------- |
| 134 | + |
| 135 | +Direct and Transitive Runtime and Test Dependencies: |
| 136 | + |
| 137 | + $ mvn -B dependency:tree |
| 138 | + ... |
| 139 | + [INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ esapi --- |
| 140 | + [INFO] org.owasp.esapi:esapi:jar:2.5.1.0-SNAPSHOT |
| 141 | + [INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided |
| 142 | + [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided |
| 143 | + [INFO] +- xom:xom:jar:1.3.8:compile |
| 144 | + [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile |
| 145 | + [INFO] | +- commons-logging:commons-logging:jar:1.2:compile |
| 146 | + [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile |
| 147 | + [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile |
| 148 | + [INFO] +- commons-lang:commons-lang:jar:2.6:compile |
| 149 | + [INFO] +- commons-fileupload:commons-fileupload:jar:1.4:compile |
| 150 | + [INFO] +- org.apache.commons:commons-collections4:jar:4.4:compile |
| 151 | + [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile |
| 152 | + [INFO] +- org.owasp.antisamy:antisamy:jar:1.7.2:compile |
| 153 | + [INFO] | +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.66.0:compile |
| 154 | + [INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.2:compile |
| 155 | + [INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2:compile |
| 156 | + [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.2:compile |
| 157 | + [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.16:compile |
| 158 | + [INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.16:compile |
| 159 | + [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.16:compile |
| 160 | + [INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.16:compile |
| 161 | + [INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.16:compile |
| 162 | + [INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.7:compile |
| 163 | + [INFO] | +- xerces:xercesImpl:jar:2.12.2:compile |
| 164 | + [INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile |
| 165 | + [INFO] +- org.slf4j:slf4j-api:jar:2.0.4:compile |
| 166 | + [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile |
| 167 | + [INFO] +- commons-io:commons-io:jar:2.11.0:compile |
| 168 | + [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.7.3:compile |
| 169 | + [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile |
| 170 | + [INFO] +- commons-codec:commons-codec:jar:1.15:test |
| 171 | + [INFO] +- junit:junit:jar:4.13.2:test |
| 172 | + [INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.70:test |
| 173 | + [INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test |
| 174 | + [INFO] | \- org.hamcrest:hamcrest:jar:2.2:test |
| 175 | + [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test |
| 176 | + [INFO] | \- org.powermock:powermock-api-support:jar:2.0.9:test |
| 177 | + [INFO] +- org.mockito:mockito-core:jar:3.12.4:test |
| 178 | + [INFO] | +- net.bytebuddy:byte-buddy:jar:1.11.13:test |
| 179 | + [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test |
| 180 | + [INFO] | \- org.objenesis:objenesis:jar:3.2:test |
| 181 | + [INFO] +- org.powermock:powermock-core:jar:2.0.9:test |
| 182 | + [INFO] | \- org.javassist:javassist:jar:3.27.0-GA:test |
| 183 | + [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test |
| 184 | + [INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.9:test |
| 185 | + [INFO] +- org.powermock:powermock-reflect:jar:2.0.9:test |
| 186 | + [INFO] \- org.openjdk.jmh:jmh-core:jar:1.36:test |
| 187 | + [INFO] +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test |
| 188 | + [INFO] \- org.apache.commons:commons-math3:jar:3.2:test |
| 189 | + [INFO] ------------------------------------------------------------------------ |
| 190 | + [INFO] BUILD SUCCESS |
| 191 | + [INFO] ------------------------------------------------------------------------ |
| 192 | + |
| 193 | +----------------------------------------------------------------------------- |
| 194 | + |
| 195 | +Acknowledgments: |
| 196 | + Another hat tip to Dave Wichers and the AntiSamy crew for promptly releasing AntiSamy 1.7.2. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you. |
| 197 | + |
| 198 | +A special thanks to the ESAPI community from the ESAPI project co-leaders: |
| 199 | + Kevin W. Wall (kwwall) <== The irresponsible party for these release notes! |
| 200 | + Matt Seil (xeno6696) |
0 commit comments