Merge remote-tracking branch 'upstream/develop' into json

Author: noloader

documentation/esapi4java-core-2.5.0.0-release-notes.txt

@@ -1,5 +1,5 @@
 Release notes for ESAPI 2.5.0.0
-    Release date: 2022-07-17
+    Release date: 2022-07-20
     Project leaders:
         -Kevin W. Wall <kevin.w.wall@gmail.com>
         -Matt Seil <matt.seil@owasp.org>
@@ -41,7 +41,7 @@ ESAPI 2.5.0.0 release:
      206 Java source files
     4274 JUnit tests in 131 Java source files (0 tests skipped)
 
-18 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive').
+19 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive').
 (Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2022-04-24)
 
 Issue #         GitHub Issue Title
@@ -64,6 +64,7 @@ Issue #         GitHub Issue Title
 620             Move the default property names and values out of a reference implementation class Component-SecurityConfiguration
 587             Drop Xerces dependency from pom.xml Build-Maven Vulnerable Dependencies
 534             Delete Deprecated Log4J implementation and Dependencies wait4future
+507             LDAP encoding of slash character
 
 -----------------------------------------------------------------------------
 
@@ -120,15 +121,19 @@ Instead, we simply changed the JUnit test to check that the expected AntiSamy or
         Remaining Known Issues / Problems
 
 -----------------------------------------------------------------------------
-'mvn site' fails to build these two reports:
+* 'mvn site' fails to build these two reports:
     "Tag reference" report           --- maven-taglib-plugin:2.4:tagreference
     "Taglibdoc documentation" report --- maven-taglib-plugin:2.4:taglibdoc
 
-Thus no tag library documentation will be generated. :-(
+  Thus no tag library documentation will be generated. :-(
 
-We are attempting to find a solution, but on the surface, it seems like the maven-taglib-plugin does not play nicely with versions of Java after Java 6. (So, this probably has been happening for a while and we just noticed it.)
+  We are attempting to find a solution, but on the surface, it seems like the maven-taglib-plugin does not play nicely with versions of Java after Java 6. (So, this probably has been happening for a while and we just noticed it.)
 
-No others problems are known, other than the remaining open issues on GitHub.
+* We have had to suppress CVE-2017-10355, related to the transitive dependency xercesImpl-2.12.2.jar via antisamy-1.7.0.jar. It is the same jar that has been used for the past 2 years but the CVE just started popping up now, apparently because of changes to Sonatype's OSS Index. More details are available in the OWASP Dependency Check suppression rules contained in the 'suppressions.xml' file. Note that other SCA tools such as Snyk or GitHub Dependabot are not presently reporting it, but it bears watching.
+
+* Trying to run 'mvn test' with Java 11 or later results in multiple errors in maven-surefire-plugin, so for now, that should be avoided. We think we may have a solution, but at this point, it is too late to test for this release.
+
+* No others problems are known, other than the remaining open issues on GitHub.
 
 -----------------------------------------------------------------------------
 
@@ -140,17 +145,23 @@ No others problems are known, other than the remaining open issues on GitHub.
 
 -----------------------------------------------------------------------------
 
-Developer Activity Report (Changes between release 2.4.0.0 and 2.5.0.0, i.e., between 2022-04-24 and 2022-07-17)
+Developer Activity Report (Changes between release 2.4.0.0 and 2.5.0.0, i.e., between 2022-04-24 and 2022-07-20)
 Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic.
 
 #
 # 34 PRs merged since ESAPI 2.4.0.0 release
+#   Apparent disparement in the figures below may be explained by serveral things:
+#       * My failure to do proper counting and basic arithmetic after 4 hours of tweak release notes.
+#       * Different basis for calculations:
+#           - Figures here may not agree with generated Change Log Report, which is date-based, as some commits included in this release were prior to ESAPI 2.4.0.0 and thus not included in the Change Log Report.
+#           - Some commits are done without PRs. Generally, we don't require PRs when we don't require code reviews. That generally is restricted to documenation files, making simple config file changes, and correcting obvious typos. Commits without PRs are resricted to the 3 ESAPI core team members.
+#           - Sometimes in a PR, multiple commits touch a file multiple times so we count those files once for each commit.
 #
 Developer       Total       Total Number        # Merged
 (GitHub ID)     commits   of Files Changed        PRs
 ========================================================
 jeremiahjstacey 265            180               24
-kwwall           35             64                5
+kwwall           39             69                5
 xeno6696          1            267                1
 noloader          5              2                1
 stevebosman-oc    4              3                2

pom.xml

@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.owasp.esapi</groupId>
     <artifactId>esapi</artifactId>
-    <version>2.5.0.0</version>
+    <version>2.5.1.0-SNAPSHOT</version>
     <packaging>jar</packaging>
 
     <distributionManagement>
@@ -146,7 +146,7 @@
             <!-- TODO: Be sure to update. Should be date of previous official release -->
             <!-- Exact date in the form 'yyyy-dd-yy 00:00:00' should be used. You can find the previous release date -->
             <!-- n the previous release notes file under the 'documentation/' directory. -->
-        <date.prev_release>2021-05-07 00:00:00</date.prev_release>
+        <date.prev_release>2021-05-24 00:00:00</date.prev_release>
     </properties>
 
     <dependencyManagement>
@@ -445,7 +445,7 @@
             <plugin>
                 <groupId>org.cyclonedx</groupId>
                 <artifactId>cyclonedx-maven-plugin</artifactId>
-                <version>2.7.0</version>
+                <version>2.7.1</version>
                 <executions>
                   <execution>
                     <phase>package</phase>
@@ -529,7 +529,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-deploy-plugin</artifactId>
-                <version>3.0.0-M2</version>
+                <version>3.0.0</version>
             </plugin>
 
             <plugin>
@@ -633,7 +633,7 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-install-plugin</artifactId>
-                <version>3.0.0-M1</version>
+                <version>3.0.0</version>
             </plugin>
 
             <plugin>
@@ -683,7 +683,7 @@
             <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-project-info-reports-plugin</artifactId>
-               <version>3.3.0</version>
+               <version>3.4.0</version>
             </plugin>
 
             <plugin>

scripts/vars.2.5.0.0

@@ -8,7 +8,7 @@ VERSION=2.5.0.0
 PREV_VERSION=2.4.0.0
 
 # Release date of current version in yyyy-mm-dd format
-YYYY_MM_DD_RELEASE_DATE=2022-07-17
+YYYY_MM_DD_RELEASE_DATE=2022-07-20
 
 # Previous ESAPI release date in same format
 PREV_RELEASE_DATE=2022-04-24

suppressions.xml

@@ -11,4 +11,50 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.xmlgraphics/batik\-i18n@.*$</packageUrl>
         <cve>CVE-2020-7791</cve>
     </suppress>
+
+
+        <!-- NOTE: These 4 suppression rules are redundant. Will decide later which one to keep. -->
+    <suppress>
+        <notes><![CDATA[
+            CVE-2017-10355 in library xercesImpl-2.12.2.jar, which is a transitive dependency, pulled in via AntiSamy.
+            It is a Denial of Service vulnerability with a CVSSv3 score of 5.9.
+
+            We are suppressing this because it is believed by the ESAPI and AntiSamy teams that it is a false positive.
+            Dependency Check itself doesn't flag this and neither does Snyk. Dependency Check reports it because it is reported
+            directly by Sonatype's OSS Index. For futher details, see
+            https://ossindex.sonatype.org/vulnerability/sonatype-2017-0348?component-type=maven&component-name=xerces%2FxercesImpl
+
+            OSS Index seems to have the wrong CPE. They have 'cpe:2.3:a:xerces:xercesImpl:2.12.2:*:*:*:*:*:*:*', whereas the CPE IDs
+            associated with NVD are 'cpe:2.3:a:apache:xerces-j:2.12.2:*:*:*:*:*:*:*' and
+            'cpe:2.3:a:apache:xerces2_java:2.12.2:*:*:*:*:*:*:*'.
+
+            Note also that this has been reported as GitHub issue #a 4614
+            https://github.com/jeremylong/DependencyCheck/issues/4614
+            ]]></notes>
+        <sha1>f051f988aa2c9b4d25d05f95742ab0cc3ed789e2</sha1>
+       <cpe>cpe:/a:apache:xerces-j</cpe>
+    </suppress>
+    <suppress>
+       <notes><![CDATA[
+            CVE-2017-10355 in xercesImpl. See above for details.
+       ]]></notes>
+       <sha1>f051f988aa2c9b4d25d05f95742ab0cc3ed789e2</sha1>
+       <cpe>cpe:/a:apache:xerces2_java</cpe>
+   </suppress>
+   <suppress>
+        <notes><![CDATA[
+            CVE-2017-10355 in xercesImpl. See above for details.
+
+            This is the one that matches the OSS Index
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
+        <vulnerabilityName>CVE-2017-10355</vulnerabilityName> 
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+            FP per Dependency Check GitHub issue #4614
+        ]]></notes>
+        <cve>CVE-2017-10355</cve>
+    </suppress>
+
 </suppressions>