Close issue #581. Details of changes follow:

Edited output from

    $ mvn -U versions:display-dependency-updates

with pom.xml from 2.2.1.1 release:

[INFO] The following dependencies in Dependencies have newer versions:
[INFO]   com.github.spotbugs:spotbugs-annotations .............. 4.0.4 -> 4.1.4         <== Updated to 4.1.4
[INFO]   commons-fileupload:commons-fileupload ................... 1.3.3 -> 1.4         <== 1.4 causes test to JUnit test to fail.
[INFO]   commons-io:commons-io ................................... 2.6 -> 2.8.0         <== 2.7 and later requires Java 8. Can't update yet.
[INFO]   javax.servlet:javax.servlet-api ....................... 3.0.1 -> 4.0.1         <== Do not update. Support for new major # (4.x) of servlet-api may require updates to newer Java Servlet Engines / App Servers and thus newer versions of the JRE. We are trying to support JRE 7 for now (until CVEs force us to upgrate). Hopefully we can support JRE 7 through the EOL of ESAPI 2.x, whenever that may happen.
[INFO]   org.apache.commons:commons-collections4 ................... 4.2 -> 4.4         <== 4.3 and newer requires Java 8. Can't update yet.
[INFO]   org.bouncycastle:bcprov-jdk15on ...................... 1.65.01 -> 1.67         <== Test scope. Unchanged. Updating to 1.67 causes NPE. Specifically, get this error running 'mvn site':
    [ERROR] Failed to execute goal org.apache.maven.plugins:maven-site-plugin:3.9.1:site (default-site) on project esapi: failed to get report for org.apache.maven.plugins:maven-javadoc-plugin: Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M3:enforce (check-java-versions) on project esapi: Execution check-java-versions of goal org.apache.maven.plugins:maven-enforcer-plugin:3.0.0-M3:enforce failed.: NullPointerException -> [Help 1]

[INFO]   org.javassist:javassist ....................... 3.25.0-GA -> 3.27.0-GA         <== Test scope. Unchanged. This is latest version that supports Java 7.
[INFO]   org.mockito:mockito-core ............................. 2.28.2 -> 3.6.0         <== Test scope. Unchanged.
[INFO]   org.openjdk.jmh:jmh-core ................................ 1.23 -> 1.26         <== Test scope. Unchanged.
[INFO]   org.openjdk.jmh:jmh-generator-annprocess ................ 1.23 -> 1.26         <== Test scope. Unchanged.
[INFO]   org.powermock:powermock-api-mockito2 .................. 2.0.7 -> 2.0.9         <== Test scope. Unchanged.
[INFO]   org.powermock:powermock-module-junit4 ................. 2.0.7 -> 2.0.9         <== Test scope. Unchanged.
[INFO]   org.powermock:powermock-reflect ....................... 2.0.7 -> 2.0.9         <== Test scope. Unchanged.
[INFO]   org.slf4j:slf4j-api ........................... 1.7.30 -> 2.0.0-alpha1         <== 1.7.30 is latest GA release (as of 11/24/2020).
[INFO]   xml-apis:xml-apis .................................... 1.4.01 -> 2.0.2         <== False positive. 1.4.01 is actually the latest official release (2011). As per https://mvnrepository.com/artifact/xml-apis/xml-apis, 2.0.0 was from 2005 and was moved to "xml-apis » xml-apis » 1.0.b2" and 2.0.2 was also from 2005 and moved to "xml-apis » xml-apis » 1.0.b2". So it appears it was just a messed up release versioning problem.

Edited output from

    $ mvn -U versions:display-plugin-updates

with pom.xml from 2.2.1.1 release:

[INFO] The following dependencies in Plugin Dependencies have newer versions:
[INFO]   org.codehaus.mojo:animal-sniffer-enforcer-rule .......... 1.17 -> 1.19         <== Updated to 1.18. Updating to 1.19 gives lots of errors on 'mvn site'.
[INFO]   org.codehaus.mojo:extra-enforcer-rules .................... 1.2 -> 1.3         <== Updated to 1.3.

Author: kwwall

pom.xml

@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.owasp.esapi</groupId>
     <artifactId>esapi</artifactId>
-    <version>2.3.0.0-SNAPSHOT</version>
+    <version>2.2.2.0-SNAPSHOT</version>
     <packaging>jar</packaging>
 
     <distributionManagement>
@@ -134,7 +134,8 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <version.jmh>1.23</version.jmh>
         <version.powermock>2.0.7</version.powermock>
-        <version.spotbugs>4.0.4</version.spotbugs>
+        <version.spotbugs>4.1.4</version.spotbugs>
+
         <!-- Upgrading to 3.0.0-M3+ causes this test case error:
                 org.owasp.esapi.reference.DefaultValidatorInputStringAPITest.getValidInputNullAllowedPassthrough  Time elapsed: 2.057 s  <<< ERROR!
                 java.lang.OutOfMemoryError: PermGen space
@@ -238,17 +239,7 @@
         <dependency>
             <groupId>org.owasp.antisamy</groupId>
             <artifactId>antisamy</artifactId>
-            <version>1.5.10</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>xml-apis</groupId>
-                    <artifactId>xml-apis</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>xerces</groupId>
-                    <artifactId>xercesImpl</artifactId>
-                </exclusion>
-            </exclusions>
+            <version>1.5.11</version>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
@@ -295,6 +286,7 @@
         <dependency>
             <groupId>xerces</groupId>
             <artifactId>xercesImpl</artifactId>
+            <!-- Note: CVE-2020-14338) in xercesImpl:2.12.0 but Apache has not released an update to this library yet to eliminate it. See ESAPI-security-bulletin3.pdf for further details. -->
             <version>2.12.0</version>
         </dependency>
         <dependency>
@@ -327,6 +319,7 @@
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>
+                <!-- Tried to update this to 1.67 but that resulted in error when running 'mvn site' -->
             <version>1.65.01</version>
             <scope>test</scope>
         </dependency>
@@ -506,16 +499,30 @@
                   <dependency>
                     <groupId>org.codehaus.mojo</groupId>
                     <artifactId>extra-enforcer-rules</artifactId>
-                    <version>1.2</version>
+                    <version>1.3</version>
                   </dependency>
                   <dependency>
                     <groupId>org.codehaus.mojo</groupId>
                     <artifactId>animal-sniffer-enforcer-rule</artifactId>
-                    <!-- Apparently 1.18+ requires Java 8 to run, so this is the most recent version of this plugin we can use -->
-                    <version>1.17</version>
+                    <!-- Updating to 1.19 causes lots of errors in 'mvn site' so leaving at 1.18 for now. -->
+                    <version>1.18</version>
                   </dependency>
                 </dependencies>
                 <executions>
+                    <execution>
+                        <id>enforce-maven</id>
+                        <goals>
+                          <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                          <rules>
+                            <requireMavenVersion>
+                              <version>[3.2.5,)</version>
+                              <message>Building ESAPI 2.x now requires Maven 3.2.5 or later.</message>
+                            </requireMavenVersion>
+                          </rules>
+                        </configuration>
+                    </execution>
                     <execution>
                       <id>check-java-versions</id>
                       <phase>compile</phase>
@@ -739,7 +746,7 @@
                 </configuration>
             </plugin>
             <plugin>
-            	<!-- Generate /site/apidocs and /site/testapidocs -->
+                <!-- Generate /site/apidocs and /site/testapidocs -->
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-javadoc-plugin</artifactId>
                 <configuration>