Merge branch 'develop' into java-8

jeremiahjstacey · jeremiahjstacey · commit 5e04f5f51946 · 2021-12-26T18:08:03.000-06:00
diff --git a/.github/workflows/superlinter.yml b/.github/workflows/superlinter.yml
@@ -19,7 +19,7 @@ jobs:
 
       # Runs the Super-Linter action and ignore errors
       - name: Run Super-Linter
-        uses: github/super-linter@v3
+        uses: github/super-linter@v4
         env:
           DEFAULT_BRANCH: develop
           DISABLE_ERRORS: true
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ Enterprise Security API for Java (Legacy)
 [![Build Status](https://travis-ci.org/bkimminich/esapi-java-legacy.svg?branch=master)](https://travis-ci.org/bkimminich/esapi-java-legacy)
 [![Coverage Status](https://coveralls.io/repos/github/bkimminich/esapi-java-legacy/badge.svg?branch=develop)](https://coveralls.io/github/bkimminich/esapi-java-legacy?branch=develop)
 [![Coverity Status](https://scan.coverity.com/projects/8517/badge.svg)](https://scan.coverity.com/projects/bkimminich-esapi-java-legacy)
-[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/137/badge)](https://bestpractices.coreinfrastructure.org/projects/137)
+[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/137/badge)](https://bestpractices.coreinfrastructure.org/projects/137)
 
 <table border=0>
 <tr>
@@ -14,6 +14,11 @@ OWASP® ESAPI (The OWASP Enterprise Security API) is a free, open source, web ap
 </tr>
 </table>
 
+# A word about ESAPI and Log4J vulnerabilities
+This is way too detailed to litter the README file with, but several of you have
+been asking about this, so I wrote up something on it and posted it to the ESAPI
+Users Google group. You can find it at [A word about Log4J vulnerabilities in ESAPI - the TL;DR version](https://groups.google.com/a/owasp.org/g/esapi-project-users/c/_CR8d-dpvMU).
+
 # Where is the OWASP ESAPI wiki page?
 You can find the OWASP ESAPI wiki pages at [https://owasp.org/www-project-enterprise-security-api/](https://owasp.org/www-project-enterprise-security-api/). The ESAPI legacy GitHub repo also has a few useful wiki pages.
 
@@ -37,7 +42,7 @@ The ESAPI release notes may be found in ESAPI's "documentation" directory. They
 Starting with ESAPI 2.2.3.0, ESAPI is using a version of AntiSamy that by default includes 'slf4j-simple' and does XML schema validation on the AntiSamy policy files. Please **READ** the release notes for the 2.2.3.0 release (at least the beginning portion) for some important notes that likely will affect your use of ESAPI! You have been warned!!!
 
 # Locating ESAPI Jar files
-The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.2.3.0. The default configuration jar and its GPG signature can be found at [esapi-2.2.3.0-configuration.jar](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.0/esapi-2.2.3.0-configuration.jar) and [esapi-2.2.3.0-configuration.jar.asc](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.0/esapi-2.2.3.0-configuration.jar.asc) respectively.
+The [latest ESAPI release](https://github.com/ESAPI/esapi-java-legacy/releases/latest) is 2.2.3.1. The default configuration jar and its GPG signature can be found at [esapi-2.2.3.1-configuration.jar](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.1/esapi-2.2.3.1-configuration.jar) and [esapi-2.2.3.1-configuration.jar.asc](https://github.com/ESAPI/esapi-java-legacy/releases/download/esapi-2.2.3.1/esapi-2.2.3.0-configuration.jar.asc) respectively.
 
 The latest *regular* ESAPI jars can are available from Maven Central.
 
diff --git a/SECURITY.md b/SECURITY.md
@@ -4,8 +4,8 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 2.2.0.0  | :white_check_mark: |
-| 2.1.0.1  | :x:, upgrade to 2.2.0.0|
+| 2.2.3.1 (latest) | :white_check_mark: |
+| 2.1.0.1-2.2.3.0  | :x:, upgrade to latest release |
 | <= 1.4.x  | :x:, no longer supported AT ALL |
 
 ## Reporting a Vulnerability
diff --git a/documentation/ESAPI-security-bulletin6.odt b/documentation/ESAPI-security-bulletin6.odt
diff --git a/documentation/ESAPI-security-bulletin6.pdf b/documentation/ESAPI-security-bulletin6.pdf
diff --git a/pom.xml b/pom.xml
@@ -133,7 +133,6 @@
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <version.jmh>1.34</version.jmh>
-        <!-- Note: powermock v2.0.8 doesn't exist. v2.0.9+ requires mockito-core v3+, which requires Java 8 -->
         <version.powermock>2.0.9</version.powermock>
         <version.spotbugs>4.5.2</version.spotbugs>
         <version.spotbugs.maven>4.5.2.0</version.spotbugs.maven>
