Further updates needed for 2.5.0.0 release notes.

kwwall · kwwall · commit 8993a1ac0715 · 2022-07-19T23:14:32.000-04:00
diff --git a/documentation/esapi4java-core-2.5.0.0-release-notes.txt b/documentation/esapi4java-core-2.5.0.0-release-notes.txt
@@ -1,5 +1,5 @@
 Release notes for ESAPI 2.5.0.0
-    Release date: 2022-07-17
+    Release date: 2022-07-20
     Project leaders:
         -Kevin W. Wall <kevin.w.wall@gmail.com>
         -Matt Seil <matt.seil@owasp.org>
@@ -41,7 +41,7 @@ ESAPI 2.5.0.0 release:
      206 Java source files
     4274 JUnit tests in 131 Java source files (0 tests skipped)
 
-18 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive').
+19 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive').
 (Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2022-04-24)
 
 Issue #         GitHub Issue Title
@@ -64,6 +64,7 @@ Issue #         GitHub Issue Title
 620             Move the default property names and values out of a reference implementation class Component-SecurityConfiguration
 587             Drop Xerces dependency from pom.xml Build-Maven Vulnerable Dependencies
 534             Delete Deprecated Log4J implementation and Dependencies wait4future
+507             LDAP encoding of slash character
 
 -----------------------------------------------------------------------------
 
@@ -120,15 +121,19 @@ Instead, we simply changed the JUnit test to check that the expected AntiSamy or
         Remaining Known Issues / Problems
 
 -----------------------------------------------------------------------------
-'mvn site' fails to build these two reports:
+* 'mvn site' fails to build these two reports:
     "Tag reference" report           --- maven-taglib-plugin:2.4:tagreference
     "Taglibdoc documentation" report --- maven-taglib-plugin:2.4:taglibdoc
 
-Thus no tag library documentation will be generated. :-(
+  Thus no tag library documentation will be generated. :-(
 
-We are attempting to find a solution, but on the surface, it seems like the maven-taglib-plugin does not play nicely with versions of Java after Java 6. (So, this probably has been happening for a while and we just noticed it.)
+  We are attempting to find a solution, but on the surface, it seems like the maven-taglib-plugin does not play nicely with versions of Java after Java 6. (So, this probably has been happening for a while and we just noticed it.)
 
-No others problems are known, other than the remaining open issues on GitHub.
+* We have had to suppress CVE-2017-10355, related to the transitive dependency xercesImpl-2.12.2.jar via antisamy-1.7.0.jar. It is the same jar that has been used for the past 2 years but the CVE just started popping up now, apparently because of changes to Sonatype's OSS Index. More details are available in the OWASP Dependency Check suppression rules contained in the 'suppressions.xml' file. Note that other SCA tools such as Snyk or GitHub Dependabot are not presently reporting it, but it bears watching.
+
+* Trying to run 'mvn test' with Java 11 or later results in multiple errors in maven-surefire-plugin, so for now, that should be avoided. We think we may have a solution, but at this point, it is too late to test for this release.
+
+* No others problems are known, other than the remaining open issues on GitHub.
 
 -----------------------------------------------------------------------------
 
@@ -140,19 +145,23 @@ No others problems are known, other than the remaining open issues on GitHub.
 
 -----------------------------------------------------------------------------
 
-Developer Activity Report (Changes between release 2.4.0.0 and 2.5.0.0, i.e., between 2022-04-24 and 2022-07-17)
+Developer Activity Report (Changes between release 2.4.0.0 and 2.5.0.0, i.e., between 2022-04-24 and 2022-07-20)
 Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic.
 
 #
 # 34 PRs merged since ESAPI 2.4.0.0 release
-#       Note: Figures here may not agree with generated Change Log Report, which is date-based,
-#       as some commits included in this release were prior to ESAPI 2.4.0.0.
+#   Apparent disparement in the figures below may be explained by serveral things:
+#       * My failure to do proper counting and basic arithmetic after 4 hours of tweak release notes.
+#       * Different basis for calculations:
+#           - Figures here may not agree with generated Change Log Report, which is date-based, as some commits included in this release were prior to ESAPI 2.4.0.0 and thus not included in the Change Log Report.
+#           - Some commits are done without PRs. Generally, we don't require PRs when we don't require code reviews. That generally is restricted to documenation files, making simple config file changes, and correcting obvious typos. Commits without PRs are resricted to the 3 ESAPI core team members.
+#           - Sometimes in a PR, multiple commits touch a file multiple times so we count those files once for each commit.
 #
 Developer       Total       Total Number        # Merged
 (GitHub ID)     commits   of Files Changed        PRs
 ========================================================
 jeremiahjstacey 265            180               24
-kwwall           35             64                5
+kwwall           39             69                5
 xeno6696          1            267                1
 noloader          5              2                1
 stevebosman-oc    4              3                2
