ESAPI
diff --git a/‎CONTRIBUTING-TO-ESAPI.txt‎
Lines changed: 2 additions & 1 deletion b/‎CONTRIBUTING-TO-ESAPI.txt‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 10 additions & 3 deletions b/‎README.md‎
Lines changed: 10 additions & 3 deletions
diff --git a/‎documentation/esapi4java-core-2.2.0.0-release-notes.txt‎
Lines changed: 19 additions & 13 deletions b/‎documentation/esapi4java-core-2.2.0.0-release-notes.txt‎
Lines changed: 19 additions & 13 deletions
diff --git a/‎pom.xml‎
Lines changed: 16 additions & 16 deletions b/‎pom.xml‎
Lines changed: 16 additions & 16 deletions
@@ -69,7 +69,8 @@ Steps to work with ESAPI:
        forked repo created in previous step)
     3. Create a new branch to work on an issue. I usually name the branch
        'issue-#' where '#' is the GitHub issue # is will be working on, but
-       you can call it whatever.
+       you can call it whatever. E.g.,
+            git checkout -b issue-#
     4. Work on the GitHub issue on this newly created issue-# branch.
     5. Make sure everything builds correctly and all the JUnit tests pass
        ('mvn test'). [Note: On occasion, there may be a failure in
 
@@ -42,7 +42,7 @@ When reporting an issue, please be clear and try to ensure that the ESAPI develo
 ### Find an Issue?
 If you have found a bug, then create an issue on the esapi-legacy-java repo: https://github.com/ESAPI/esapi-java-legacy/issues
 
-NOTE: Please do NOT use GitHub issues to ask questions about ESAPI. If you wish to do this, post to either of the 2 mailing lists found at the bottom of this page. If we find questions as GitHub issues, we simply will close them and direct you to do this anyhow.
+NOTE: Please do NOT use GitHub issues to ask questions about ESAPI. If you wish to do this, post to either of the 2 mailing lists (now on Google Groups) found at the bottom of this page. If we find questions as GitHub issues, we simply will close them and direct you to do this anyhow.
 
 ### Find a Vulnerability?
 If you have found a vulnerability in ESAPI legacy, first search the issues list (see above) to see if it has already been reported. If it has not, then please contact both Kevin W. Wall (kevin.w.wall at gmail.com) and Matt Seil (matt.seil at owasp.org) directly. Please do not report vulnerabilities via GitHub issues or via the ESAPI mailing lists as we wish to keep our users secure while a patch is implemented and deployed. If you wish to be acknowledged for finding the vulnerability, then please follow this process. (Eventually, we would like to have BugCrowd handle this, but that's still a ways off.) Also, when you post the email describing the vulnerability, please do so from an email address that you usually monitor.
@@ -64,5 +64,12 @@ Channel: #esapi<br/>
 Webchat http://webchat.freenode.net/
 
 *Mailing lists:*
-[ESAPI-Users mailing list](https://lists.owasp.org/mailman/listinfo/esapi-user/) and
-[ESAPI-Developers mailing list](https://lists.owasp.org/mailman/listinfo/esapi-dev/)
+As of 2019-03-25, ESAPI's 2 mailing lists were officially moved OFF of their Mailman mailing lists to a new home on Google Groups.
+
+The names of the 2 Google Groups are "[esapi-project-users](mailto:[email protected])" and "[esapi-project-dev](mailto:[email protected])", which you may POST to after you subscribe to them via "[Subscribe to ESAPI Users list](https://groups.google.com/forum/#!forum/esapi-project-users/join)" and "[Subscribe to ESAPI Developers list](https://groups.google.com/forum/#!forum/esapi-project-dev/join)" respectively.
+
+Old archives for the old Mailman mailing lists for ESAPI-Users and ESAPI-Dev are still available at https://lists.owasp.org/pipermail/esapi-users/ and https://lists.owasp.org/pipermail/esapi-dev/ respectively.
+
+For a general overview of Google Groups and its web interface, see https://groups.google.com/forum/#!overview
+
+For assistance subscribing and unsubscribing to Google Groups, see https://webapps.stackexchange.com/questions/13508/how-can-i-subscribe-to-a-google-mailing-list-with-a-non-google-e-mail-address/15593#15593
@@ -11,10 +11,9 @@ Executive Summary: Important Things to Note for this Release
 ------------------------------------------------------------
 * Upgrade to require JDK 7 or later. JDK 6 is no longer supported by ESAPI.
 * Upgrade to require Java Servlet API 3.0.1 or later. See "Appendix: Dependency Updates (as reflected in pom.xml)" below for additional details.
-* 106 GitHub issues closed. (Note: Includes previously incorrectly closed issues that were reopened, fixed, and then closed again.)
+* 100+ GitHub issues closed. (Note: Includes previously incorrectly closed issues that were reopened, fixed, and then closed again.)
 * Upgraded versions of several ESAPI dependencies (i.e., 3rd party jars), including several that had unpatched CVEs. See "Appendix: Dependency Updates (as reflected in pom.xml)" below for full details.
 * Known vulnerabilities still not addressed:
-    - ESAPI uses "vulnerable" version of AntiSamy (1.5.7), which is supposedly vulnerable to CVE-2018-100643. I have confirmed that AntiSamy--as currently used by ESAPI--is NOT vulnerable to this CVE as it only uses AntiSamy's CleanResults.getCleanHTML(). Furthermore, I believe that this CVE is a false positive. See my comments on this AntiSamy issue at https://github.com/nahsra/antisamy/issues/32#issuecomment-449595373.
     - There is this critical CVE in log4j 2.x before 2.8.2: CVE-2017-5645. It is a Java deserialization vulnerability that can lead to arbitrary remote code execution. Some private vulnerability databases claim that this same vulnerability is present in log4j 1.x even though the CVE itself does not claim that. However, examination of this CVE shows that the vulnerability is associated with implementations of TcpSocketServer and UdpSocketServer, which implement fully functional socket servers that can be used to listen on network connections and record log events sent to server from various client applications. For ESAPI to be vulnerable to that, first someone would have to have an implementation of wone of those servers running and secondly, they would have to change ESAPI's log4j.xml configuration file so that it uses log4j's SocketAppender rather than the default ConsoleAppender that ESAPI's default deployment uses. Thus even if this vulnerability were present in log4j 1.x, ESAPI's use of ConsoleAppender makes it a non-issue.
     - There is a known and unpatched vulnerability in the SLF4J Extensions that some vulnerability scanners may pick up and associate with ESAPI's use of slf4j-api-1.7.25.jar. (Note that OWASP Dependency Check does NOT flag this vulnerability [CVE-2018-8088], but others may.) According to NVD, this vulnerability is associated with "org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2". Fortunately, I have confirmed that this Java deserialization does not impact ESAPI. First off, the default configuration of ESAPI.properties does not use SLF4J, but even if an application should choose to use it, ESAPI does not include the slf4j-ext jar and it has been confirmed that the vulnerable class (org.slf4j.ext.EventData) is not included in the slf4j-api jar that ESAPI does. Unfortunately, this CVE is not patched in the latest SLF4J packages, so even if we were to update it to latest version (currently 1.80-beta2, as of 12/31/2018), any scanners that associate ESAPI with CVE-2018-8088 would still have this false positive. But the important thing to ESAPI users is to know that if this CVE is identified for ESAPI, that it is a false positive.
     - Otherwise, ESAPI 2.2.0.0 addresses all know CVEs except for CVE-2013-5960 (which I have fixed in a private BitBucket repo, but getting it to be backward compatible is proving to be more difficult than anticipated.) Besides, if you want to use encryption in Java, I'd highly recommend using Google Tink, which is much more fully featured than ESAPI. (Tink allows key rotation, storing keys in various cloud HSMs, etc.)
@@ -37,7 +36,7 @@ That's 2593 NEW tests!!!
 
                 GitHub Issues fixed in this release
             [i.e., since 2.1.0.1 release on 2016-Feb-05]
-                          106 issues closed
+                          More than 100 issues closed
 
 Issue #			GitHub Issue Title
 ----------------------------------------------------------------------------------------------
@@ -148,6 +147,10 @@ Issue #			GitHub Issue Title
 462		Allow configurable init parameter in ESAPIFilter for unauthorized requests
 463		Create release notes for next ESAPI release
 465		Update both ESAPI.properties files to show comment for ESAPI logger support for SLF4J
+471     Bump ESAPI release # to 2.2.0.0
+476     DefaultValidator.getValidInput implementation ignores 'canonicalize' method parameter
+478     Remove obsolete references to Google Code in pom.xml and any other release prep
+483     More miscellaneous prep work for ESAPI 2.2.0.0 release
 
 
 -----------------------------------------------------------------------------
@@ -179,6 +182,9 @@ Issue #			GitHub Issue Title
                 public static String encodeObject( java.io.Serializable serializableObject )
                 public static String encodeObject( java.io.Serializable serializableObject, int options )
                 public static Object decodeToObject( String encodedObject )
+
+    483     More miscellaneous prep work for ESAPI 2.2.0.0 release
+        Specifically, CipherText.getSerialVersionUID() and DefaultSecurityConfiguration.MAX_FILE_NAME_LENGTH have actually been deleted from the ESAPI code base. For the former, use CipherText.cipherTextVersion() instead. For the latter, there is no replacement. (This wasn't being used, but it was set to 1000 in case you're wondering.)
 
 * Various properties in ESAPI.properties were changed in a way that might affect your application:
     439		Tighten ESAPI defaults to disallow dubious file suffixes
@@ -235,12 +241,13 @@ Project co-leaders
     Matt Seil (xeno6696)
 
 Special shout-outs to:
-    Jeremiah Stacey (jeremiahjstacey)
+    Jeremiah Stacey (jeremiahjstacey) -- All around ESAPI support and JUnit test case developer extraordinaire
+    Dave Wichers (davewichers) - for Maven Central / Sonatype help
 
 List of all PRs closed since 2.1.0.1 (2016-Feb-05) -
         List includes merged AND rejected PRs
 
-  52 Closed PRs since 2.1.0.1 release
+  53 Closed PRs since 2.1.0.1 release
   ===================================
 #362 by artfullyContrived was merged on Feb 9, 2016 -- Update pom.xml to use latest Maven plugins
 #367 by drm2 was merged on Apr 9, 2016 -- Adding IntelliJ Tests setup documentation
@@ -296,12 +303,13 @@ List of all PRs closed since 2.1.0.1 (2016-Feb-05) -
 #470 by jeremiahjstacey was merged on Jan 15, 2019 -- JavaLogFactory Thread Safety #286
 #472 by jeremiahjstacey was merged on Jan 21, 2019 -- Issue #31 MySQLCodec Updates
 #475 by jeremiahjstacey was merged on Jan 27, 2019 -- Issue #188 resolution proof: Test updates
+#477 by jeremiajjstacey was merged on Feb 02, 2019 -- $476 DefaultValidator.getValidInput uses canonicalize method argument
 
 List of contributors of *merged* PRs, listed (rather naively) by # or merged PRs:
         # merged PRs    GitHub ID
         -------------------------
              19         xeno6696
-              8         jeremiahjstacey
+             10         jeremiahjstacey
               8         kwwall
               2         artfullyContrived
               2         augustd
@@ -312,8 +320,6 @@ List of contributors of *merged* PRs, listed (rather naively) by # or merged PRs
               1         NiklasMehner
               1         simon0117
               1         sunnypav
-	========================
-	     47 merged PRs + 6 closed PRs = 53 PRs merged or closed
 
 
 Thanks you all for your time and effort to ESAPI and making it a better project.
@@ -326,15 +332,15 @@ Many 3rd party dependencies had known vulnerabilities (e.g., CVEs reported to NI
 
 Note that in many places, these 3rd party dependencies were not *direct* dependencies, but rather *transitive* and since we are not able to force a direct 3rd party dependency to update their dependencies, in several cases, we have used Maven's <exclusions> tag to exclude specific transitive dependencies andthen explictly included their latest patched versions that did not cause JUnit test failures.
 
-Because the landscape of known vulnerabilities in 3rd party components is constantly changing and the OWASP ESAPI contributors do not have access to all private vulnerability databases, we may have inevitably missed some. In other cases, we have examined reported vulnerabilities and confirmed that as ESAPI uses and deploys the code in its default configuration, the claimed vulnerabilities are not exploitable. (Such is the case for CVE-2018-100643 as it related to AntiSamy 1.5.7 and earlier.)
+Because the landscape of known vulnerabilities in 3rd party components is constantly changing and the OWASP ESAPI contributors do not have access to all private vulnerability databases, we may have inevitably missed some. In other cases, we have examined reported vulnerabilities and confirmed that as ESAPI uses and deploys the code in its default configuration, the claimed vulnerabilities are not exploitable.
 
 The following lists all new and updated dependencies. If a dependency is not listed below, the version used since ESAPI release 2.1.0.1 has not changed.
 
 New compile-time / runtime direct dependencies:
     org.slf4j:slf4j-api:1.7.25 - Not actually needed in your application's classpath unless ESAPI.Logger is configured to use org.owasp.esapi.logging.slf4j.Slf4JLogFactory.
 
 New JUnit dependencies
-    org.bouncycastle:bcprov-jdk15on:1.60
+    org.bouncycastle:bcprov-jdk15on:1.61
     org.powermock:powermock-api-mockito2:2.0.0-beta.5
     org.powermock:powermock-module-junit4:2.0.0-beta.5
 
@@ -345,12 +351,12 @@ Updated direct dependencies, by Maven scope
 
   compile:
     commons-fileupload:commons-fileupload:      1.3.1 -> 1.3.3
-    org.apache.commons:commons-collections4:    3.2.2 -> 4.2
+    org.apache.commons:commons-collections4:    3.2.2 -> 4.3
     commons-beanutils:commons-beanutils-core:   1.8.3 -> 1.9.3
     com.io7m.xom:xom:                           1.2.5 -> 1.2.10
     org.apache-extras.beanshell:bsh:            2.0b4 -> 2.0b6
-    org.owasp.antisamy:antisamy:                1.5.3 -> 1.5.7
-    org.apache.xmlgraphics:batik-css:           1.8   -> 1.10
+    org.owasp.antisamy:antisamy:                1.5.3 -> 1.5.8
+    org.apache.xmlgraphics:batik-css:           1.8   -> 1.11
 
     Transitive runtime dependencies that ESAPI has now directly taken control off because of known vulnerabilities or other incompatibilities:
         xalan:xalan:                            2.7.0 -> 2.7.2
 
@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.owasp.esapi</groupId>
     <artifactId>esapi</artifactId>
-    <version>2.2.0.0-RC2-SNAPSHOT</version>
+    <version>2.2.0.0-RC2</version>
     <packaging>jar</packaging>
 
     <prerequisites>
@@ -13,7 +13,7 @@
     <parent>
         <groupId>org.sonatype.oss</groupId>
         <artifactId>oss-parent</artifactId>
-        <version>5</version>
+        <version>9</version>
     </parent>
 
     <licenses>
@@ -47,19 +47,19 @@
 
     <mailingLists>
         <mailingList>
-            <name>ESAPI-Users</name>
-            <subscribe>https://lists.owasp.org/mailman/listinfo/esapi-user/</subscribe>
-            <unsubscribe>https://lists.owasp.org/mailman/listinfo/esapi-user/</unsubscribe>
-            <post>mailto:esapi-users@lists.owasp.org</post>
-            <archive>https://lists.owasp.org/pipermail/esapi-users/</archive>
+            <name>ESAPI-Project-Users</name>
+            <subscribe>https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-users/join</subscribe>
+            <unsubscribe>https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-users/unsubscribe</unsubscribe>
+            <post>mailto:esapi-project-[email protected]</post>
+            <archive>(Pre 3/25/2019) https://lists.owasp.org/pipermail/esapi-users/</archive>
             <!--This is the OWASP ESAPI mailing list for ESAPI users, regardless of programming language. For example, ESAPI users with questions about ESAPI for Java or ESAPI for PHP would both post here.-->
         </mailingList>
         <mailingList>
-            <name>ESAPI-Developers</name>
-            <subscribe>https://lists.owasp.org/mailman/listinfo/esapi-dev/</subscribe>
-            <unsubscribe>https://lists.owasp.org/mailman/listinfo/esapi-dev/</unsubscribe>
-            <post>mailto:esapi-dev@lists.owasp.org</post>
-            <archive>https://lists.owasp.org/pipermail/esapi-dev/</archive>
+            <name>ESAPI-Project-Dev</name>
+            <subscribe>https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-dev/join</subscribe>
+            <unsubscribe>https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-dev/unsubscribe</unsubscribe>
+            <post>mailto:esapi-project-[email protected]</post>
+            <archive>(Pre 3/25/2019) https://lists.owasp.org/pipermail/esapi-dev/</archive>
             <!--This is the OWASP ESAPI mailing list for ESAPI for Java developers. While the list is not closed, the topics of discussion are likely to be less relevant to those only using ESAPI. Note that this is the list for ESAPI for Java. Most other language implementations, such ESAPI for PHP, have their own mailing lists.-->
         </mailingList>
         <mailingList>
@@ -166,7 +166,7 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-collections4</artifactId>
-            <version>4.2</version>
+            <version>4.3</version>
         </dependency>
         <dependency>
             <groupId>log4j</groupId>
@@ -203,7 +203,7 @@
         <dependency>
             <groupId>org.owasp.antisamy</groupId>
             <artifactId>antisamy</artifactId>
-            <version>1.5.7</version>
+            <version>1.5.8</version>
             <exclusions>
                 <exclusion>
                     <groupId>xml-apis</groupId>
@@ -233,7 +233,7 @@
         <dependency>
             <groupId>org.apache.xmlgraphics</groupId>
             <artifactId>batik-css</artifactId>
-            <version>1.10</version>
+            <version>1.11</version>
         </dependency>
         <dependency>
             <groupId>xerces</groupId>
@@ -251,7 +251,7 @@
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
-            <version>1.60</version>
+            <version>1.61</version>
             <scope>test</scope>
         </dependency>
         <dependency>