docs: Update README after v5 release (box/box-codegen#869) (#1527)

Author: box-sdk-build

.codegen.json

@@ -1 +1 @@
-{ "engineHash": "192deac", "specHash": "cf21406", "version": "10.1.0" }
+{ "engineHash": "b98d1dc", "specHash": "cf21406", "version": "10.1.0" }

README.md

@@ -2,39 +2,43 @@
   <img src="https://github.com/box/sdks/blob/master/images/box-dev-logo.png" alt= “box-dev-logo” width="30%" height="50%">
 </p>
 
-# Versioning Strategy
-
-Starting with v10 of the SDK, we’ve introduced a new generated codebase designed to enhance your experience with the Box API.  
-It is currently available on the [sdk-gen](https://github.com/box/box-java-sdk/tree/sdk-gen) branch and uses the new `com.box.sdkgen` package instead of the old `com.box.sdk`.
-
-v10 is targeted at new users of Box Java SDK and users already working with the generated Box Java SDK previously available under the [Box Java SDK Gen repository](https://github.com/box/box-java-sdk-gen).
-
-For users of v4 of the Box Java SDK, no action is required at this time — we’ll be providing an upcoming v5 release that will include both `com.box.sdk` and `com.box.sdkgen` packages for a smooth migration path. To avoid unintentional upgrades, pin your version to `com.box:box-java-sdk:4.16.4`.
-
-For full guidance on SDK versioning, see the [Box SDK Versioning Guide](https://developer.box.com/guides/tooling/sdks/sdk-versioning/).
-
----
-
-## Which Version Should I Use?
-
-| Scenario                                                                                                                    | Recommended Version                                                | Example Dependency            |
-| --------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ | ----------------------------- |
-| Creating a new application                                                                                                  | Use [v10](https://github.com/box/box-java-sdk/tree/sdk-gen)        | `com.box:box-sdkgen:10.0.0`   |
-| Existing app using [box-java-sdk-gen](https://mvnrepository.com/artifact/com.box/box-java-sdk-gen) artifact                 | Upgrade to [v10](https://github.com/box/box-java-sdk/tree/sdk-gen) | `com.box:box-sdkgen:10.0.0`   |
-| Existing app using [box-java-sdk](https://mvnrepository.com/artifact/com.box/box-java-sdk) and planning to use new features | Wait for v5 to start migration process                             | TBD                           |
-| Existing app using [box-java-sdk](https://mvnrepository.com/artifact/com.box/box-java-sdk) and not planning changes         | Stay on your current version                                       | `com.box:box-java-sdk:4.16.4` |
-
-# Box Java SDK
+# Box Java SDK v10
 
 [![Project Status](http://opensource.box.com/badges/active.svg)](http://opensource.box.com/badges)
 ![build](https://github.com/box/box-java-sdk/actions/workflows/build.yml/badge.svg?branch=sdk-gen)
 ![Maven Central Version](https://img.shields.io/maven-central/v/com.box/box-java-sdk)
 ![Platform](https://img.shields.io/badge/java-%3E%3D8-blue)
 [![Coverage](https://coveralls.io/repos/github/box/box-java-sdk/badge.svg?branch=sdk-gen)](https://coveralls.io/github/box/box-java-sdk-gen?branch=sdk-gen)
 
-We are excited to introduce the stable Release of the latest generation of Box Java SDK, designed to elevate the developer experience and streamline your integration with the Box Content Cloud.
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 
-With this SDK, you’ll have access to:
+- [Introduction](#introduction)
+- [Supported versions](#supported-versions)
+  - [Version v5](#version-v5)
+  - [Version v10](#version-v10)
+  - [Which Version Should I Use?](#which-version-should-i-use)
+- [Installing](#installing)
+- [Getting Started](#getting-started)
+- [Authentication](#authentication)
+- [Documentation](#documentation)
+- [Migration guides](#migration-guides)
+- [Versioning](#versioning)
+  - [Version schedule](#version-schedule)
+- [Contributing](#contributing)
+- [3rd Party Libraries & Licenses](#3rd-party-libraries--licenses)
+- [FIPS 140-2 Compliance](#fips-140-2-compliance)
+- [Questions, Bugs, and Feature Requests?](#questions-bugs-and-feature-requests)
+- [Copyright and License](#copyright-and-license)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+# Introduction
+
+We are excited to introduce the v10 major release of the Box Java SDK,
+designed to elevate the developer experience and streamline your integration with the Box Content Cloud.
+
+With this SDK version, we provide the `com.box.sdkgen` package, which gives you access to:
 
 1. Full API Support: The new generation of Box SDKs empowers developers with complete coverage of the Box API ecosystem. You can now access all the latest features and functionalities offered by Box, allowing you to build even more sophisticated and feature-rich applications.
 2. Rapid API Updates: Say goodbye to waiting for new Box APIs to be incorporated into the SDK. With our new auto-generation development approach, we can now add new Box APIs to the SDK at a much faster pace (in a matter of days). This means you can leverage the most up-to-date features in your applications without delay.
@@ -44,27 +48,44 @@ With this SDK, you’ll have access to:
 
 Embrace the new generation of Box SDKs and unlock the full potential of the Box Content Cloud.
 
-# Table of contents
+# Supported versions
 
-<!-- START doctoc generated TOC please keep comment here to allow auto update -->
-<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+To enhance developer experience, we have introduced the new generated codebase through the `com.box.sdkgen` package.
+The `com.box.sdkgen` package is available in two major supported versions: v5 and v10.
 
-- [Box Java SDK](#box-java-sdk)
-- [Table of contents](#table-of-contents)
-- [Installing](#installing)
-- [Getting Started](#getting-started)
-- [Documentation](#documentation)
-- [Upgrades](#upgrades)
-- [Integration Tests](#integration-tests)
-  - [Running integration tests locally](#running-integration-tests-locally)
-    - [Create Platform Application](#create-platform-application)
-    - [Export configuration](#export-configuration)
-    - [Start integration tests](#start-integration-tests)
-- [3rd Party Libraries \& Licenses](#3rd-party-libraries--licenses)
-- [Questions, Bugs, and Feature Requests?](#questions-bugs-and-feature-requests)
-- [Copyright and License](#copyright-and-license)
+## Version v5
 
-<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+In v5 of the Box Java SDK, we are introducing a version that consolidates both the manually written package (`com.box.sdk`)
+and the new generated package (`com.box.sdkgen`). This allows developers to use both packages simultaneously within a single project.
+
+The codebase for v5 of the Box Java SDK is currently available on the [combined-sdk](https://github.com/box/box-java-sdk/tree/combined-sdk) branch.
+Migration guide which would help with migration from `com.box.sdk` to `com.box.sdkgen` can be found [here](./migration-guides/from-com.box.sdk-to-com.box.sdkgen.md).
+
+Version v5 is intended for:
+
+- Existing developers of the Box Java SDK v4 who want to access new API features while keeping their current codebase largely unchanged.
+- Existing developers who are in the process of migrating to `com.box.sdkgen`, but do not want to move all their code to the new package immediately.
+
+## Version v10
+
+Starting with v10, the SDK is built entirely on the generated `com.box.sdkgen` package, which fully and exclusively replaces the old `com.box.sdk` package.
+The codebase for v10 of the Box Java SDK is currently available on the [sdk-gen](https://github.com/box/box-java-sdk/tree/sdk-gen) branch.
+
+Version v10 is intended for:
+
+- New users of the Box Java SDK.
+- Developers already working with the generated Box Java SDK previously available under the [Box Java SDK Gen repository](https://github.com/box/box-java-sdk-gen).
+
+## Which Version Should I Use?
+
+| Scenario                                                                                                                                                                                   | Recommended Version                                                    | Example gradle dependency     |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------- | ----------------------------- |
+| Creating a new application                                                                                                                                                                 | Use [v10](https://github.com/box/box-java-sdk/tree/sdk-gen)            | `com.box:box-java-sdk:10.0.0` |
+| App using [box-java-sdk-gen](https://central.sonatype.com/artifact/com.box/box-java-sdk-gen) artifact                                                                                      | Migrate to [v10](https://github.com/box/box-java-sdk/tree/sdk-gen)     | `com.box:box-java-sdk:10.0.0` |
+| App using both [box-java-sdk-gen](https://central.sonatype.com/artifact/com.box/box-java-sdk-gen) and [box-java-sdk](https://central.sonatype.com/artifact/com.box/box-java-sdk) artifacts | Upgrade to [v5](https://github.com/box/box-java-sdk/tree/combined-sdk) | `com.box:box-java-sdk:5.0.0`  |
+| App using v4 of [box-java-sdk](https://central.sonatype.com/artifact/com.box/box-java-sdk) artifact                                                                                        | Upgrade to [v5](https://github.com/box/box-java-sdk/tree/combined-sdk) | `com.box:box-java-sdk:5.0.0`  |
+
+For full guidance on SDK versioning, see the [Box SDK Versioning Guide](https://developer.box.com/guides/tooling/sdks/sdk-versioning/).
 
 # Installing
 
@@ -106,48 +127,47 @@ client.folders.getFolderItems("0").getEntries().forEach(item -> {
 });
 ```
 
-# Documentation
+# Authentication
 
-Browse the [docs](docs/README.md) or see [API Reference](https://developer.box.com/reference/) for more information.
+Box Java SDK v10 supports multiple authentication methods including Developer Token, OAuth 2.0,
+Client Credentials Grant, and JSON Web Token (JWT).
 
-# Upgrades
+You can find detailed instructions and example code for each authentication method in
+[Authentication](./docs/Authentication.md) document.
 
-The SDK is updated regularly to include new features, enhancements, and bug fixes. If you are upgrading from manual SDK to this new generated SDK checkout the [migration guide](migration-guides/from-v4-to-v10.md) and [changelog](CHANGELOG.md) for more information.
+# Documentation
 
-# Integration Tests
+Browse the [docs](docs/README.md) or see [API Reference](https://developer.box.com/reference/) for more information.
 
-## Running integration tests locally
+# Migration guides
 
-### Create Platform Application
+Migration guides which help you to migrate to supported major SDK versions can be found [here](./migration-guides).
 
-To run integration tests locally you will need a `Custom App` created in the [Box Developer
-Console](https://app.box.com/developers/console) with `Server Authentication (with JWT)` selected as authentication method.
-Once created you can edit properties of the application:
+# Versioning
 
-- In section `App Access Level` select `App + Enterprise Access`. You can enable all `Application Scopes`.
-- In section `Advanced Features` enable `Make API calls using the as-user header` and `Generate user access tokens`.
+We use a modified version of [Semantic Versioning](https://semver.org/) for all changes. See [version strategy](VERSIONS.md) for details which is effective from 30 July 2022.
 
-Now select `Authorization` and submit application to be reviewed by account admin.
+A current release is on the leading edge of our SDK development, and is intended for customers who are in active development and want the latest and greatest features.  
+Instead of stating a release date for a new feature, we set a fixed minor or patch release cadence of maximum 2-3 months (while we may release more often).
+At the same time, there is no schedule for major or breaking release. Instead, we will communicate one quarter in advance the upcoming breaking change to allow customers to plan for the upgrade.
 
-### Export configuration
+We always recommend that all users run the latest available minor release for whatever major version is in use.
+We highly recommend upgrading to the latest SDK major release at the earliest convenient time and before the EOL date.
 
-1. Select `Configuration` tab and in the bottom in the section `App Settings`
-   download your app configuration settings as JSON.
-2. Encode configuration file to Base64, e.g. using command: `base64 -i path_to_json_file`
-3. Set environment variable: `JWT_CONFIG_BASE_64` with base64 encoded jwt configuration file
-4. Set environment variable: `BOX_FILE_REQUEST_ID` with ID of file request already created in the user account, `BOX_EXTERNAL_USER_EMAIL` with email of free external user which not belongs to any enterprise and `BOX_EXTERNAL_USER_ID` with its ID.
-5. Set environment variable: `WORKFLOW_FOLDER_ID` with the ID of the Relay workflow that deletes the file that triggered the workflow. The workflow should have a manual start to be able to start it from the API.
-6. Set environment variable: `APP_ITEM_ASSOCIATION_FILE_ID` to the ID of the file with associated app item and `APP_ITEM_ASSOCIATION_FOLDER_ID` to the ID of the folder with associated app item.
-7. Set environment variable: `APP_ITEM_SHARED_LINK` to the shared link associated with app item.
-8. Set environment variable: `SLACK_AUTOMATION_USER_ID` to the ID of the user responsible for the Slack automation, `SLACK_ORG_ID` to the ID of the Slack organization and `SLACK_PARTNER_ITEM_ID` to the ID of the Slack partner item.
+## Version schedule
 
-### Start integration tests
+| Version | Supported Environments | State     | First Release | EOL/Terminated         |
+| ------- | ---------------------- | --------- | ------------- | ---------------------- |
+| 10      | Java 8 and up          | Supported | 17 Sep 2025   | TBD                    |
+| 5       | Java 8 and up          | Supported | 23 Oct 2025   | 2027 or v6 is released |
+| 4       | Java 8 and up          | EOL       | 17 Jan 2023   | 23 Oct 2025            |
+| 3       | Java 8 and up          | EOL       | 17 Jan 2022   | 17 Jan 2023            |
+| 2       |                        | EOL       | 07 Jan 2016   | 17 Jan 2022            |
+| 1       |                        | EOL       | 15 Apr 2015   | 07 Jan 2016            |
 
-To run integration tests locally, you can use the following command:
+# Contributing
 
-```console
-./gradlew test --stacktrace
-```
+See [CONTRIBUTING.md](./CONTRIBUTING.md).
 
 # 3rd Party Libraries & Licenses
 
@@ -187,18 +207,95 @@ The following libraries are required for running tests:
    Maven: `org.junit.jupiter:junit-jupiter-engine:5.10.0`
    Licence: [EPL 2.0](https://www.eclipse.org/legal/epl-2.0/)
 
+# FIPS 140-2 Compliance
+
+To generate a Json Web Signature used for retrieving tokens in the JWT authentication method, the Box Java SDK decrypts an encrypted private key.
+For this purpose, Box Java SDK uses libraries (`org.bouncycastle:bcpkix-jdk18on:1.82` and `org.bouncycastle:bcprov-jdk18on:1.82`)
+that are NOT compatible with FIPS 140-2 validated cryptographic library (`org.bouncycastle:bc-fips`).
+
+There are two ways of ensuring that decryption operation is FIPS-compiant.
+
+1. You can provide a custom implementation of the `IPrivateKeyDecryptor` interface,
+   which performs the decryption operation using FIPS-certified library of your choice.
+   The interface requires the implementation of just one method:
+
+```java
+PrivateKey decryptPrivateKey(String encryptedPrivateKey, String passphrase);
+```
+
+After implementing the custom decryptor, you need to set your custom decryptor class:
+
+```java
+JWTConfig newConfig = JWTConfig.fromConfigFile(JWT_CONFIG_PATH, customDecryptor);
+BoxJWTAuth auth = new BoxJWTAuth(jwtConfig);
+BoxClient client = new BoxClient(auth);
+```
+
+2. Alternative method is to override the Bouncy Castle libraries to the v.1.57 version,
+   which are compatible with the FIPS 140-2 validated cryptographic library (`org.bouncycastle:bc-fips`).
+
+NOTE: This solution is not recommended as Bouncy Castle v.1.57 has some moderate vulnerabilities reported against those versions, including:
+
+- [CVE-2020-26939](https://github.com/advisories/GHSA-72m5-fvvv-55m6) - Observable Differences in Behavior to Error Inputs in Bouncy Castle
+- [CVE-2020-15522](https://github.com/advisories/GHSA-6xx3-rg99-gc3p) - Timing based private key exposure in Bouncy Castle
+
+Furthermore,using Bouncy Castle v.1.57 may lead to [Bouncycastle BadPaddingException for JWT auth](#bouncycastle-badPaddingException-for-jWT-auth).
+
+Gradle example
+
+```groovy
+implementation('com.box:box-java-sdk:x.y.z') {
+   exclude group: 'org.bouncycastle', module: 'bcprov-jdk18on'
+   exclude group: 'org.bouncycastle', module: 'bcpkix-jdk18on'
+}
+runtimeOnly('org.bouncycastle:bcprov-jdk15on:1.57')
+runtimeOnly('org.bouncycastle:bcpkix-jdk15on:1.57')
+```
+
+Maven example:
+
+```xml
+<dependencies>
+   <dependency>
+      <groupId>com.box</groupId>
+      <artifactId>box-java-sdk</artifactId>
+      <version>x.y.z</version>
+      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcprov-jdk18on</artifactId>
+        </exclusion>
+         <exclusion>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk18on</artifactId>
+         </exclusion>
+      </exclusions>
+   </dependency>
+   <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk15on</artifactId>
+      <version>1.57</version>
+      <scope>runtime</scope>
+   </dependency>
+   <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk15on</artifactId>
+      <version>1.57</version>
+      <scope>runtime</scope>
+   </dependency>
+</dependencies>
+```
+
 # Questions, Bugs, and Feature Requests?
 
-Need to contact us directly? [Browse the issues
-tickets](https://github.com/box/box-java-sdk/issues)! Or, if that
-doesn't work, [file a new
-one](https://github.com/box/box-java-sdk/issues/new) and we will get
-back to you. If you have general questions about the Box API, you can
-post to the [Box Developer Forum](https://forum.box.com/).
+Need to contact us directly? [Browse the issues tickets](https://github.com/box/box-java-sdk/issues)! Or, if that
+doesn't work, [file a new one](https://github.com/box/box-java-sdk/issues/new), and we will get
+back to you. If you have general questions about the Box API, you can post to the [Box Developer Forum](https://community.box.com/box-platform-5).
 
 # Copyright and License
 
-Copyright 2023 Box, Inc. All rights reserved.
+Copyright 2025 Box, Inc. All rights reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.