ESAPI
diff --git a/‎documentation/LoggerDesignAndTesting.md‎
Lines changed: 1 addition & 1 deletion b/‎documentation/LoggerDesignAndTesting.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pom.xml‎
Lines changed: 3 additions & 3 deletions b/‎pom.xml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎scripts/esapi-release.sh‎
Lines changed: 3 additions & 3 deletions b/‎scripts/esapi-release.sh‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎scripts/esapi4java-core-TEMPLATE-release-notes.txt‎
Lines changed: 1 addition & 11 deletions b/‎scripts/esapi4java-core-TEMPLATE-release-notes.txt‎
Lines changed: 1 addition & 11 deletions
diff --git a/‎src/examples/java/DisplayEncryptedProperties.java‎
Lines changed: 1 addition & 1 deletion b/‎src/examples/java/DisplayEncryptedProperties.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/examples/java/ESAPILogging.java‎
Lines changed: 1 addition & 1 deletion b/‎src/examples/java/ESAPILogging.java‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/examples/scripts/encryptProperties.sh‎
Lines changed: 2 additions & 4 deletions b/‎src/examples/scripts/encryptProperties.sh‎
Lines changed: 2 additions & 4 deletions
diff --git a/‎src/examples/scripts/persistEncryptedData.sh‎
Lines changed: 3 additions & 4 deletions b/‎src/examples/scripts/persistEncryptedData.sh‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎src/examples/scripts/runClass.sh‎
Lines changed: 1 addition & 3 deletions b/‎src/examples/scripts/runClass.sh‎
Lines changed: 1 addition & 3 deletions
diff --git a/‎src/examples/scripts/setMasterKey.sh‎
Lines changed: 1 addition & 2 deletions b/‎src/examples/scripts/setMasterKey.sh‎
Lines changed: 1 addition & 2 deletions
@@ -22,6 +22,6 @@ The general workflow is:
 
     Logger.info/warn/etc(message) -> forwards to LogBridgelog(logger, esapiLevel, type, message) -> forwards to LogHandler.log(...) -> forwards to slf4j Logger implementation with appropriate level and composed message.
 
-So each of the tests for each of the classes verifies data in -> data out based on the Logging API.  The structure for JUL, Log4J, and SLF4J are almost identical.  There are a few differences in the interaction with the underlying Logger interactions and expectations.  As a result, the tests are also almost full duplications (again accounting for differences in the underlying logging API).
+So each of the tests for each of the classes verifies data in -> data out based on the Logging API.  The structure for JUL and SLF4J are almost identical.  There are a few differences in the interaction with the underlying Logger interactions and expectations.  As a result, the tests are also almost full duplications (again accounting for differences in the underlying logging API).
 
 -J
@@ -140,7 +140,7 @@
         <version.powermock>2.0.9</version.powermock>
         <version.spotbugs>4.7.1</version.spotbugs>
         <version.findsecbugs>1.12.0</version.findsecbugs>
-        <version.spotbugs.maven>4.7.0.0</version.spotbugs.maven>
+        <version.spotbugs.maven>4.7.1.0</version.spotbugs.maven>
         <version.surefire>3.0.0-M7</version.surefire>
         <project.java.target>1.8</project.java.target>
             <!-- TODO: Be sure to update. Should be date of previous official release -->
@@ -406,7 +406,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-assembly-plugin</artifactId>
-                    <version>3.4.0</version>
+                    <version>3.4.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -538,7 +538,7 @@
                   <dependency>
                     <groupId>org.codehaus.mojo</groupId>
                     <artifactId>extra-enforcer-rules</artifactId>
-                    <version>1.5.1</version>
+                    <version>1.6.0</version>
                   </dependency>
                   <dependency>
                     <groupId>org.codehaus.mojo</groupId>
 
@@ -64,8 +64,8 @@ USAGE="Usage: $PROG esapi_svn_dir"
 tmpdir="/tmp/$PROG.$RANDOM-$$"
 esapi_release_dir="$tmpdir/esapi_release_dir"
 
-    # This is the directory under esapi_svn_dir where the log4j and ESAPI
-    # properties files are located as well as the $esapiConfig/* config files.
+    # This is the directory under esapi_svn_dir where ESAPI configuration files
+    # such as ESAPI.properties are located as well as the $esapiConfig/* config files.
     # Note that formerly used to be under src/main/resources, but it since
     # has been moved because where it was previously was causing problems with
     # Sonatype's Nexus. That particular problem may have been resolved, but it
@@ -141,7 +141,7 @@ mkdir $jartmpdir
 cd $jartmpdir || exit
 jar xf "$jarfile"
 rm -fr ${esapiConfig:?}
-rm -f properties/* log4j.*
+rm -f properties/*
 rm -f settings.xml owasp-esapi-dev.jks
 # TODO: This part would need some work if we sign or seal the ESAPI jar as
 #       that creates a special MANIFEST.MF file and other special files and
 
@@ -51,7 +51,7 @@ Issue #         GitHub Issue Title
@@@@ NOTE any special notes here. Probably leave this one, but I would suggest noting additions BEFORE this.
 [If you have already successfully been using ESAPI 2.2.1.0 or later, you probably can skip this section.]
 
-Since ESAPI 2.2.1.0, the new default ESAPI logger is JUL (java.util.logging packages) and we have deprecated the use of Log4J 1.x because we now support SLF4J and Log4J 1.x is way past its end-of-life. We did not want to make SLF4J the default logger (at least not yet) as we did not want to have the default ESAPI use require additional dependencies. However, SLF4J is likely to be the future choice, at least once we start on ESAPI 3.0. A special shout-out to Jeremiah Stacey for making this possible by re-factoring much of the ESAPI logger code. Note, the straw that broke the proverbial camel's back was the announcement of CVE-2019-17571 (rated Critical), for which there is no fix available and likely will never be.
+Since ESAPI 2.2.1.0, the new default ESAPI logger is JUL (java.util.logging packages) and we had deprecated the use of Log4J 1.x because was way past its end-of-life. (Note: As of ESAPI 2.5.0.0, we have officially removed all Log4J 1 dependencies, after it had been deprecated for 2 years as per our deprecation policy.) We did not want to make SLF4J the default logger (at least not yet) as we did not want to have the default ESAPI use require additional dependencies. However, SLF4J is likely to be the future choice, at least once we start on ESAPI 3.0. A special shout-out to Jeremiah Stacey for making this possible by re-factoring much of the ESAPI logger code. Note, the straw that broke the proverbial camel's back was the announcement of CVE-2019-17571 (rated Critical), for which there is no fix available and likely will never be.
 
 However, if you try to juse the new ESAPI 2.2.1.0 or later logging you will notice that you need to change ESAPI.Logger and also possibly provide some other properties as well to get the logging behavior that you desire.
 
@@ -87,11 +87,6 @@ If you are using JavaLogFactory, you will also want to ensure that you have the
 See GitHub issue #560 for additional details.
 
 
-Related to that aforemented Log4J 1.x CVE and how it affects ESAPI, be sure to read
-   https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf 
-which describes CVE-2019-17571, a deserialization vulnerability in Log4J 1.2.17. ESAPI is *NOT* affected by this (even if you chose to use Log4J 1 as you default ESAPI logger). This security bulletin describes why this CVE is not exploitable as used by ESAPI.
-
-
 Finally, while ESAPI still supports JDK 7 (even though that too is way past end-of-life), the next ESAPI release will move to JDK 8 as the minimal baseline. (We already use Java 8 for development but still to Java 7 source and runtime compatibility.) We need to do this out of necessity because some of our dependencies are no longer doing updates that support Java 7.
 
 -----------------------------------------------------------------------------
@@ -127,11 +122,6 @@ Another problem is if you run 'mvn test' from the 'cmd' prompt (and possibly Pow
 
 We believe these failures is because the maven-surefire-plugin is by default not forking a new JVM process for each test class. We are looking into this. For now, we have only have observed this behavior on Windows 10. If you see this error, please do NOT report it as a GitHub issue unless you know a fix for it. (And yes, we are aware of '<reuseForks>false</reuseForks>' in the pom for the maven-surefire-plugin, but that causes other tests to fail that we haven't had time to fix.)
 
-
-Lastly, some SCA services may continue to flag vulnerabilties in ESAPI ${VERSION} related to log4j 1.2.17 (e.g., CVE-2020-9488). We do not believe the way that ESAPI uses log4j in a manner that leads to any exploitable behavior.  See the security bulletins
-   https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin2.pdf 
-for additional details.
-
 -----------------------------------------------------------------------------
 
         Other changes in this release, some of which not tracked via GitHub issues
 
@@ -8,7 +8,7 @@
 //          that were encrypted using ESAPI's EncryptedProperties class.
 //
 // Usage: java -classpath <cp> DisplayEncryptedProperties encryptedPropFileName
-//        where <cp> is proper classpath, which minimally include esapi.jar & log4j.jar
+//        where <cp> is proper classpath, which minimally includes the esapi.jar.
 public class DisplayEncryptedProperties {
 
     public DisplayEncryptedProperties() {
 
@@ -4,7 +4,7 @@
 // Purpose: Short code snippet to show how ESAPI logging works.
 //
 // Usage: java -classpath <cp> ESAPILogging
-//        where <cp> is proper classpath, which minimally include esapi.jar & log4j.jar
+//        where <cp> is proper classpath, which minimally includes the esapi.jar.
 public class ESAPILogging {
 
     public static void main(String[] args) {
 
@@ -49,8 +49,7 @@ cd ../java
 if [[ "$action" == "-display" ]]
 then
     set -x
-    java -Dlog4j.configuration="file:$log4j_properties" \
-         -Dorg.owasp.esapi.resources="$esapi_resources_test" \
+    java -Dorg.owasp.esapi.resources="$esapi_resources_test" \
          -classpath "$esapi_classpath" \
          DisplayEncryptedProperties "$filename"
 else
@@ -65,8 +64,7 @@ else
     echo
     echo "Hit <Enter> to continue..."; read GO
     set -x
-    java -Dlog4j.configuration="file:$log4j_properties" \
-         -Dorg.owasp.esapi.resources="$esapi_resources_test" \
+    java -Dorg.owasp.esapi.resources="$esapi_resources_test" \
          -classpath "$esapi_classpath" \
       org.owasp.esapi.reference.crypto.DefaultEncryptedProperties "$filename" &&
       echo "Output of encrypted properties in file: $filename"
 
@@ -23,7 +23,6 @@ set -x
 # Since this is just an illustration, we will use the test ESAPI.properties in
 # $esapi_resources_test. That way, it won't matter if the user has neglected
 # to run the 'setMasterKey.sh' example before running this one.
-java -Dlog4j.configuration="file:$log4j_properties" \
-    -Dorg.owasp.esapi.resources="$esapi_resources_test" \
-    -ea -classpath "$esapi_classpath" \
-    PersistedEncryptedData "$@"
+java -Dorg.owasp.esapi.resources="$esapi_resources_test" \
+     -ea -classpath "$esapi_classpath" \
+     PersistedEncryptedData "$@"
@@ -19,10 +19,8 @@ then echo >2&1 "Can't find class file: ${className}.class"
      exit 1
 fi
 echo "Your ESAPI.properties file: ${esapi_resources_test:?}/ESAPI.properties"
-echo "Your log4j properties file: ${log4j_properties:?}"
 echo
 set -x
-java -Dlog4j.configuration="file:$log4j_properties" \
-     -Dorg.owasp.esapi.resources="$esapi_resources_test" \
+java -Dorg.owasp.esapi.resources="$esapi_resources_test" \
      -classpath "$esapi_classpath" \
      ${className} "$@"
@@ -16,7 +16,6 @@ echo
 # set -x
 # This should use the real ESAPI.properties in $esapi_resources that does
 # not yet have Encryptor.MasterKey and Encryptor.MasterSalt yet set.
-java -Dlog4j.configuration="file:$log4j_properties" \
-     -Dorg.owasp.esapi.resources="$esapi_resources" \
+java -Dorg.owasp.esapi.resources="$esapi_resources" \
      -classpath "$esapi_classpath" \
      org.owasp.esapi.reference.crypto.JavaEncryptor "$@"