Merge pull request #856 from kwwall/release-prep-2.5.5.0

Release prep 2.5.5.0 -- Visually inspected, looks routine.  Special thanks to our newest contributors!  :-)

Author: xeno6696

CONTRIBUTING.md

@@ -0,0 +1,118 @@
+# Contributing to ESAPI -- Details
+
+## Getting Started
+If you have not already done so, go back and read the section
+"[Contributing to ESAPI legacy](https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md#contributing-to-esapi-legacy)" in ESAPI's README.md file. It
+may contain updates and advice not contained herein.
+
+### A Special Note on GitHub Authentication
+GitHub has announced that they are deprecating password based authentication
+using username / password and beginning 2021-08-13, you will no longer be
+able to your password to authenticate to 'git' operations on GitHub.com.
+Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/
+for details and plan accordingly.
+
+### A Special Note Regarding Making Commits for PRs
+Shortly after the 2.5.1.0 ESAPI release in late November 2022, the ESAPI
+team decided to lock down the 'develop' amd 'main' branches. Merges from
+PRs are done to the 'develop' branch. That means that if you intend to
+contribute to ESAPI, you must be signing your commits. Please see the
+GitHub instructions at
+        https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits
+for details.
+
+### Git Branching Model
+We are following the branching model described in
+        https://nvie.com/posts/a-successful-git-branching-model
+If you are unfamiliar with it, you would be advised to give it a quick
+perusal. The major point is that the 'main' (formerly 'master') branch is
+reserved for official releases (which will be tagged), the 'develop' branch
+is used for ongoing development work and is the default branch, and we
+generally work off 'issue' branches named 'issue-#' where # is the GitHub
+issue number. (The last is not an absolute requirement, but rather a
+suggested approach.)
+
+Finally, we recommend setting the git property 'core.autocrlf' to 'input'
+in your $HOME/.gitconfig file; e.g., that file should contain something
+like this:
+
+    [core]
+        autocrlf = input
+
+
+### Required Software
+We use Maven for building. Maven 3.6.3 or later is required. You also need
+JDK 8 or later. [Note: If you use JDK 9 or later, there will be multiple
+failures when you try to run 'mvn test' as well as some general warnings.
+See [ESAPI GitHub issue #496](https://github.com/ESAPI/esapi-java-legacy/issues/496) for details. We welcome volunteers to address
+this.]
+## Finding Something Interesting to Work on
+
+See the section [Contributing to ESAPI Legacy](https://github.com/ESAPI/esapi-java-legacy/blob/develop/README.md#contributing-to-esapi-legacy)
+in the ESAPI README for suggestions. While you don't *have* to work on something labeled "good first issue"
+or "help wanted", those are good places to start for someone not yet familiar with the ESAPI code base.
+
+You will need a account on GitHub though. Once you create one, let us know
+what it is. Then if you want to work on a particular issue, we can assign
+it to you so someone else won't take it.
+
+If you have questions, email Kevin Wall ([email protected]) or Matt
+Seil ([email protected]).
+
+
+## Building ESAPI
+See our local GitHub wiki page, [Building ESAPI](https://github.com/ESAPI/esapi-java-legacy/wiki/Building-ESAPI),
+which briefly discusses how to build ESAPI via Maven.
+
+You can also refer to [Using ESAPI for Java with Eclipse](https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-for-Java-with-Eclipse)
+if you prefer working from IDEs. There is also a much older ESAPI wiki page,
+[Building with Eclipse](https://www.owasp.org/index.php/ESAPI-BuildingWithEclipse)
+that might be useful.
+
+As always, any contributions to ESAPI's admittedly skimpy documentation in this area is welcome.
+In particular, contributing some hints about debugging applications using ESAPI
+would be very useful to our ESAPI clients.
+
+## Steps to work with ESAPI
+I usually do everything from the bash command prompt in Linux Mint,
+but other people use Windows. If you prefer an IDE, I can't help you
+much, but I can help with at least modest problems. If you have more
+difficult problems, I will probably refer you to my project co-leader,
+Matt who groks git a lot better than I.
+
+But the basic high level steps are:
+
+1. Fork https://github.com/ESAPI/esapi-java-legacy to your own GitHub repository using the GitHub web site.
+2. On your local laptop, clone your own GitHub ESAPI repo (i.e, the forked repo created in previous step)
+3. Create a new branch to work on an issue. I usually name the branch 'issue-#' where '#' is the GitHub issue # is will be working on, but you can call it whatever. E.g.,
+   ```bash
+        $ git checkout -b issue-#
+   ```
+4. Work on the GitHub issue on this newly created issue-# branch. Be sure that you also create new JUnit tests as required that confirm that the issue is corrected, or if you are introducing new functionality, ensure
+   that functionality is sufficiently covered.
+5. Make sure everything builds correctly and all the JUnit tests pass ('mvn test'). [Note: There are some known issues with test failures if your are running under Windows and your local ESAPI Git repo located anywhere other than the C: drive, where the test `ValidatorTest.testIsValidDirectoryPath()` fails. 
+6. If you have added any dependencies, please also run OWASP Dependency-Check and look at the generated report left in 'target/dependency-check-report.html' to make sure there were not any CVEs introduced. (Alternately you can run 'mvn verify' which will first run the tests and then run Dependency-Check.) Note if this is the first time you have run Dependency-Check for ESAPI, expect it to take a while (often 30 minutes or so!). To execute Dependency Check from Maven, run:
+   ```bash
+        $ mvn org.owasp:dependency-check-maven:check
+   ```
+7. Commit your changes locally.
+8. Push your 'issue-#' branch to your personal, forked ESAPI GitHub repo. E.g.,
+   ```bash
+        $ git checkout issue-444
+        $ git remote -v | grep origin       # Confirm 'origin' refers to YOUR PERSONAL GitHub repo
+        $ git push origin issue-444         # Push the committed changes on the 'issue-444' branch
+   ```
+9. Go to your personal, forked ESAPI GitHub repo (web interface) and create a 'Pull Request' (PR) from your 'issue-#' branch.
+10. Back on your local personal laptop / desktop, merge your issue branch with your local 'develop' branch. I.e.,
+        $ git checkout develop
+        $ git merge issue-444
+11. Do not remove your branch on your forked repository until your PR from your branch has been merged into the ESAPI/esapi-java/legacy 'develop' branch.
+   Note at least one the 3 main contributors on will review your commits before
+   merging them and they may do a formal code review and request further changes.
+   Once they are satisfied, they will merge your PR.
+
+In theory, you can do all this 'git' magic from Eclipse and presumably other
+IDEs like Oracle NetBeans or JetBrains IntelliJ IDEA. From Eclipse, it is right-click
+on the project and then select 'Team' to do the commits, etc. If you choose that
+route, you're pretty much on your own because none of us use that for Git
+interactions.

README.md

@@ -30,7 +30,7 @@ specific Jakarta version of ESAPI, in Maven, you would specify your ESAPI depend
 <dependency>
     <groupId>org.owasp.esapi</groupId>
     <artifactId>esapi</artifactId>
-    <version>2.5.4.0</version>
+    <version>2.5.5.0</version>  <!-- Preferably the latest version, but > 2.5.3.0 -->
     <classifier>jakarta</classifier>
 </dependency>
 ```
@@ -46,40 +46,6 @@ fact, without the
 ```
 that's the version that will be used by default.
 
-# Quickstart - Maven Example
-### Step 1: Add the required maven dependencies.
-```xml
-<dependency>
-    <groupId>org.owasp.esapi</groupId>
-    <artifactId>esapi</artifactId>
-    <version>2.5.3.0 [or later]</version>
-    <classifier>jakarta</classifier>
-</dependency>
-<!-- Add the below dependency if the not using JakartaEE -->
-<dependency>
-    <groupId>jakarta.servlet</groupId>
-    <artifactId>jakarta.servlet-api</artifactId>
-    <version>6.1.0</version>
-    <scope>provided</scope>
-</dependency>
-```
-### Step 2: Create 2 properties file namely: ESAPI.properties and validation.properties and add them to your classpath. You can refer to below for boilerplate configurations.
-[ESAPI.properties](https://github.com/ESAPI/esapi-java-legacy/blob/develop/configuration/esapi/ESAPI.properties) <br/>
-[validation.properties](https://github.com/ESAPI/esapi-java-legacy/blob/develop/configuration/esapi/validation.properties)
-
-### Step 3: Let's say, you want to remediate log injection vulnerabilities. Below is an example to achieve it.
-```code
-import org.owasp.esapi.ESAPI;
-import org.owasp.esapi.Logger;
-
-public class Example {
-   private static Logger LOGGER = ESAPI.getLogger(Example.class);
-   public void printLog(){
-		LOGGER.info(Logger.EVENT_SUCCESS, "Log injection remediated !");
-   }
-}
-```
-For more examples, please visit [https://owasp.org/www-project-enterprise-security-api/](https://owasp.org/www-project-enterprise-security-api/).
 
 # A word about ESAPI vulnerabilities
 A summary of all the vulnerabilities that we have written about in either the
@@ -118,7 +84,7 @@ The ESAPI release notes may be found in ESAPI's "documentation" directory. They
 See the GitHub [Releases](https://github.com/ESAPI/esapi-java-legacy/releases) information for a list of releases which generally
 link to the specific release notes.
 
-### Really IMPORTANT information in release notes
+### Really IMPORTANT information in release notes - Ignore at your peril
 * Starting with ESAPI 2.2.1.0, important details changed reading the ESAPI
   Logger. If you have are getting things like ClassNotFoundException, you
   probably have not read it. Please be sure to read this specific section
@@ -176,6 +142,30 @@ references in documentation). If you must, you still should be able to
 use Log4J 1.x logging via ESAPI SLF4J support. See the ESAPI 2.5.0.0 release
 notes for further details.
 
+# Quickstart - Maven Example
+### Step 1: Add the required dependencies.
+See https://mvnrepository.com/artifact/org.owasp.esapi/esapi/latest, the tab for
+whatever build tool you are using. If you need the Jakarta version, make sure to
+add
+```xml
+    <classifier>jakarta</classifier>
+```
+and include whatever jakara.servlet:jakarta.servlet-api version you are using with
+```xml
+    <scope>provided</scope>
+```
+### Step 2: Obtain the 2 properties files ESAPI.properties and validation.properties
+1. Download these 2 files from the ESAPI release that you are using from https://github.com/ESAPI/esapi-java-legacy/releases
+   and download the esapi-<release>-configuration.jar file (and the .asc file if you wish to confirm the GPG signature).
+2. Unjar that configuration file that you just downloaded and find the 2
+   properties files under the "configuration/esapi" subdirectory where you
+   unjarred the config jar.
+3. Read through Javadoc for [DefaultSecurityConfiguration](https://javadoc.io/static/org.owasp.esapi/esapi/2.5.4.0/org/owasp/esapi/reference/DefaultSecurityConfiguration.html)
+   to understand the ways that ESAPI locates these files and then use the mechanism that works best for you. Copy the 2 properties
+   files from the 'configuration/esapi' directory to the directory where you
+   choose to have them reside. Note that you may also edit them to customize
+   them according to your needs.
+
 # Contributing to ESAPI legacy
 ### How can I contribute or help with fix bugs?
 Fork and submit a pull request! Easy as pi! (How's that for an irrational
@@ -250,19 +240,6 @@ discussion or even show us how it works with a PR. (Note that we vet all pull
 requests, including coding style of any contributions, so please use the same
 coding style found in the files you are already editing.)
 
-# Ancient History
-### What happened to Google code?
-In mid-2014 ESAPI migrated all code and issues from Google Code to GitHub. This migration was completed in November 2014.
-
-### What about the issues still located on Google Code?
-All issues from Google Code have been migrated to GitHub issues. We now
-use GitHut Issues for reporting everything *except* security vulnerabilities.
-Other bug tracking sites are undoubtedly more advanced, but as developers,
-we do not want to spent time having to close issues from multiple bug-tracking
-systems. Therefore, until the synchronization happens with the Atlassian Jira
-instance that we have (but are not using; see GitHub issue #371), please
-ONLY use GitHub Issues for reporting bugs.
-
 # References: Where to Find More Information on ESAPI
 **OWASP Wiki:** https://owasp.org/www-project-enterprise-security-api/