esapi
Used in:
components
- OverviewOverview
- VersionsVersions
- DependentsDependents
- DependenciesDependencies
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.7.0.1-RC1</version>
</dependency><?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.7.0.1-RC1</version>
<packaging>jar</packaging>
<distributionManagement>
<repository>
<id>central</id>
<url>https://central.sonatype.org/publish/publish-portal-maven/</url>
</repository>
<!-- You can pick up the ESAPI configuration jars here, under the Assets section of each release. -->
<downloadUrl>https://github.com/ESAPI/esapi-java-legacy/releases</downloadUrl>
</distributionManagement>
<licenses>
<license>
<name>BSD</name>
<url>https://www.opensource.org/licenses/bsd-license.php</url>
<comments>Code License - New BSD License</comments>
</license>
<license>
<name>Creative Commons 3.0 BY-SA</name>
<url>https://creativecommons.org/licenses/by-sa/3.0/</url>
<comments>Content License - Create Commons 3.0 BY-SA</comments>
</license>
</licenses>
<name>ESAPI</name>
<url>https://owasp.org/www-project-enterprise-security-api/</url>
<description>The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP web site. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
</description>
<organization>
<name>The Open Worldwide Application Security Project (OWASP)</name>
<url>https://owasp.org/</url>
</organization>
<mailingLists>
<mailingList>
<name>ESAPI-Project-Users</name>
<subscribe>https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-users/join</subscribe>
<unsubscribe>https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-users/unsubscribe</unsubscribe>
<post>mailto:esapi-project-users@owasp.org</post>
<archive>(Pre 3/25/2019) https://lists.owasp.org/pipermail/esapi-users/</archive>
<!--This is the OWASP ESAPI mailing list for ESAPI users, regardless of programming language. For example, ESAPI users with questions about ESAPI for Java or ESAPI for PHP would both post here.-->
</mailingList>
<mailingList>
<name>ESAPI-Project-Dev</name>
<subscribe>https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-dev/join</subscribe>
<unsubscribe>https://groups.google.com/a/owasp.org/forum/#!forum/esapi-project-dev/unsubscribe</unsubscribe>
<post>mailto:esapi-project-dev@owasp.org</post>
<archive>(Pre 3/25/2019) https://lists.owasp.org/pipermail/esapi-dev/</archive>
<!--This is the OWASP ESAPI mailing list for ESAPI for Java developers. While the list is not closed, the topics of discussion are likely to be less relevant to those only using ESAPI. Note that this is the list for ESAPI for Java. Most other language implementations, such ESAPI for PHP, have their own mailing lists.-->
</mailingList>
<mailingList>
<name>OWASP-ESAPI (Inactive! Archive only!)</name>
<archive>https://lists.owasp.org/pipermail/owasp-esapi/</archive>
<!--The name of the obsolete mailing list that previously was a combination of an ESAPI users lists and ESAP development list. While obsolete, it is still sometimes useful for searching through old historical posts. NOTE: NEW POSTS SHOULD NO LONGER BE MADE TO THIS LIST!-->
</mailingList>
</mailingLists>
<scm>
<connection>scm:git:git://github.com/ESAPI/esapi-java-legacy.git</connection>
<developerConnection>scm:git:git@github.com:ESAPI/esapi-java-legacy.git</developerConnection>
<url>https://github.com/ESAPI/esapi-java-legacy</url>
</scm>
<issueManagement>
<system>GitHub Issue Tracking</system>
<url>https://github.com/ESAPI/esapi-java-legacy/issues</url>
</issueManagement>
<developers>
<developer>
<name>Jeff Williams</name>
<organization>Contrast Security</organization>
<roles>
<role>Project Founder</role>
</roles>
</developer>
<developer>
<name>Kevin W. Wall</name>
<organization>Verisign</organization>
<roles>
<role>Project Co-leader</role>
</roles>
</developer>
<developer>
<name>Matt Seil</name>
<organization>OWASP</organization>
<roles>
<role>Project Co-leader</role>
</roles>
</developer>
<developer>
<name>Jeremiah J. Stacey</name>
<roles>
<role>JUnit SME</role>
<role>Jack of all trades, master of many</role>
</roles>
</developer>
<developer>
<name>Chris Schmidt</name>
<organization>Fluid Truck</organization>
<roles>
<role>Former project co-leader</role>
</roles>
</developer>
</developers>
<contributors>
<contributor>
<name>Dave Wichers</name>
</contributor>
<contributor>
<name>Jim Manico</name>
</contributor>
</contributors>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<version.jmh>1.37</version.jmh>
<version.findsecbugs>2.0.0-M3</version.findsecbugs>
<version.fluido>2.0.0-M11</version.fluido> <!-- Version 2.1.0 is available, but fails with this min Maven. -->
<version.powermock>2.0.9</version.powermock>
<version.spotbugs>4.9.3</version.spotbugs>
<version.spotbugs.maven>4.9.3.1</version.spotbugs.maven>
<version.surefire>3.5.3</version.surefire>
<project.java.target>1.8</project.java.target>
<!-- TODO: Be sure to update. Should be date of previous official release -->
<!-- Exact date in the form 'yyyy-dd-yy 00:00:00' should be used. You can find the previous release date -->
<!-- in the previous release notes file under the 'documentation/' directory. -->
<date.prev_release>2025-06-02 00:00:00</date.prev_release>
</properties>
<dependencies>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>javax.servlet.jsp-api</artifactId>
<version>2.3.3</version>
<scope>provided</scope>
<!-- Note: Because this dependency is provided, this exclusion doesn't actually do anything.
But we include it so the convergence report will report 100% convergence.
Deleting this does not cause the convergence check to fail.
-->
<exclusions>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>xom</groupId>
<artifactId>xom</artifactId>
<version>1.3.9</version>
<exclusions>
<exclusion>
<!-- xom tries to pull this in, but a newer version is in Java 7 and later
so we want to exclude this transitive dependency. Don't need to include
it explicity since we use the one from the JDK.
-->
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<!-- We need to use 1.11.0 (or later) here to address various CVEs. -->
<version>1.11.0</version>
<!-- NOTE: commons-beanutils uses commons-collections 3.2.2. We use
commons-collections 4.2. Package names are different so this shouldn't
cause any problems as long as 3.x doesn't have any CVEs. May have to
rethink / exclude / etc. if there are.
-->
</dependency>
<dependency>
<groupId>commons-configuration</groupId>
<artifactId>commons-configuration</artifactId>
<version>1.10</version>
<exclusions>
<!-- excluded because multiple dependencies import newer version. -->
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
<!-- Note: Because the following dependency is marked as provided to commons-configuration,
this exclusion doesn't actually do anything. But we include it so the convergence report
will report 100% convergence. Deleting this does not cause the convergence check to fail.
-->
<exclusion>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.6</version>
</dependency>
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.6.0</version>
<exclusions>
<!-- excluded because we directly import newer version below. -->
<exclusion>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-collections4</artifactId>
<version>4.5.0-M2</version>
</dependency>
<dependency>
<groupId>org.apache-extras.beanshell</groupId>
<artifactId>bsh</artifactId>
<version>2.0b6</version>
</dependency>
<dependency>
<groupId>org.owasp.antisamy</groupId>
<artifactId>antisamy</artifactId>
<version>1.7.8</version>
<exclusions>
<!-- excluded because we directly import newer version below. -->
<exclusion>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</exclusion>
<!-- excluded because commons-beanutils imports a newer version. -->
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>2.0.16</version>
</dependency>
<dependency>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
<!-- 1.4.01 is NEWER THAN 2.0.2
Check the release dates in maven central
https://mvnrepository.com/artifact/xml-apis/xml-apis
DO NOT UPDATE THIS DEPENDENCY
-->
<version>1.4.01</version>
</dependency>
<!-- SpotBugs dependencies -->
<dependency>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-annotations</artifactId>
<version>${version.spotbugs}</version>
<optional>true</optional>
</dependency>
<!-- Dependencies which are ONLY used for JUnit tests -->
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.17.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.13.2</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>1.78.1</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest-core</artifactId>
<version>2.2</version>
<scope>test</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/org.powermock/powermock-api-mockito -->
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-api-mockito2</artifactId>
<version>${version.powermock}</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- The following imported solely so we can exclude its dependency on: org.objenesis:objenesis, which conflicts with
another import by a dependency of powermock-api-mockito2. -->
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<!-- Cannot upgrade past 3.x due to PowerMock compatibility
https://github.com/powermock/powermock/issues/1109
-->
<version>3.12.4</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-core</artifactId>
<version>${version.powermock}</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>net.bytebuddy</groupId>
<artifactId>byte-buddy</artifactId>
</exclusion>
<exclusion>
<groupId>net.bytebuddy</groupId>
<artifactId>byte-buddy-agent</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-module-junit4</artifactId>
<version>${version.powermock}</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
</exclusion>
<exclusion>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-reflect</artifactId>
<version>${version.powermock}</version>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.objenesis</groupId>
<artifactId>objenesis</artifactId>
</exclusion>
<exclusion>
<groupId>net.bytebuddy</groupId>
<artifactId>byte-buddy</artifactId>
</exclusion>
<exclusion>
<groupId>net.bytebuddy</groupId>
<artifactId>byte-buddy-agent</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.openjdk.jmh</groupId>
<artifactId>jmh-core</artifactId>
<version>${version.jmh}</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<pluginManagement>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<version>3.7.1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>3.8.1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
<version>3.1.1</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<version>2.18.0</version>
<configuration>
<rulesUri>file:${project.basedir}/versionRuleset.xml</rulesUri>
</configuration>
</plugin>
</plugins>
</pluginManagement>
<plugins>
<plugin>
<groupId>org.sonatype.central</groupId>
<artifactId>central-publishing-maven-plugin</artifactId>
<version>0.9.0</version>
<extensions>true</extensions>
<configuration>
<deploymentName>${project.name}</deploymentName>
<publishingServerId>central</publishingServerId>
</configuration>
</plugin>
<!-- Create SBOM -->
<plugin>
<groupId>org.cyclonedx</groupId>
<artifactId>cyclonedx-maven-plugin</artifactId>
<version>2.9.1</version>
<executions>
<execution>
<phase>package</phase>
<goals><goal>makeBom</goal></goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs-maven-plugin</artifactId>
<version>${version.spotbugs.maven}</version>
<dependencies>
<!-- Overwrite dependency on SpotBugs if you want to specify the version of SpotBugs.
SpotBugs itself is frequently several versions ahead of the spotbugs-maven-plugin -->
<dependency>
<groupId>com.github.spotbugs</groupId>
<artifactId>spotbugs</artifactId>
<version>${version.spotbugs}</version>
</dependency>
</dependencies>
</plugin>
<plugin>
<groupId>com.h3xstream.findsecbugs</groupId>
<artifactId>findsecbugs-plugin</artifactId>
<version>${version.findsecbugs}</version>
</plugin>
<plugin>
<groupId>io.github.weblegacy</groupId>
<artifactId>taglib-maven-plugin</artifactId>
<version>2.6</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-changelog-plugin</artifactId>
<!-- 3.0.0-M1 is a "milestone" release, which is generally
to an alpha or beta release. Normally we would avoid
those, but generating a changelog is not an essential
task, so we're fine with this.
-->
<version>3.0.0-M1</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-clean-plugin</artifactId>
<version>3.5.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.14.0</version>
<configuration>
<source>${project.java.target}</source>
<target>${project.java.target}</target>
<testSource>${project.java.target}</testSource>
<testTarget>${project.java.target}</testTarget>
<debug>true</debug>
<showWarnings>true</showWarnings>
<showDeprecation>false</showDeprecation>
<compilerArgs>
<!-- This fails:
<arg>-Xmaxwarns 2000</arg>
Must be passed as two separate args, as shown
below.
-->
<arg>-Xmaxwarns</arg>
<arg>2000</arg>
<arg>
<!-- Eventually desire is to use just
-Xlint:all
here, but for now, this is just to cross off
another criteria for CII Badging process.
However, this is main reason we increased
maxwarns above.
-->
-Xlint:all,-deprecation,-rawtypes,-unchecked
</arg>
</compilerArgs>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-deploy-plugin</artifactId>
<version>3.1.4</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-eclipse-plugin</artifactId>
<version>2.10</version>
<configuration>
<downloadSources>true</downloadSources>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.5.0</version>
<dependencies>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>extra-enforcer-rules</artifactId>
<version>1.10.0</version>
</dependency>
<dependency>
<groupId>org.codehaus.mojo</groupId>
<artifactId>animal-sniffer-enforcer-rule</artifactId>
<version>1.24</version>
</dependency>
</dependencies>
<executions>
<execution>
<id>enforce-maven</id>
<goals><goal>enforce</goal></goals>
<configuration>
<rules>
<requireMavenVersion>
<version>[3.6.3,)</version>
<message>Building ESAPI 2.x now requires Maven 3.6.3 or later.</message>
</requireMavenVersion>
</rules>
</configuration>
</execution>
<execution>
<id>check-java-versions</id>
<phase>compile</phase>
<goals><goal>enforce</goal></goals>
<configuration>
<rules>
<dependencyConvergence/>
<requireJavaVersion>
<version>${project.java.target}</version>
<message>
ESAPI 2.x now uses the JDK1.8 for its baseline. Please make sure that your
JAVA_HOME environment variable is pointed to a JDK1.8 or later distribution.
</message>
</requireJavaVersion>
<enforceBytecodeVersion>
<maxJdkVersion>${project.java.target}</maxJdkVersion>
<ignoreOptionals>true</ignoreOptionals>
<ignoredScopes/><!-- 'test' scopes not ignored so we can actually test on Java 8. -->
<message>Dependencies shouldn't require Java 9+</message>
</enforceBytecodeVersion>
</rules>
<fail>true</fail>
</configuration>
</execution>
<execution>
<id>check-java8API-signatures</id>
<phase>compile</phase>
<goals><goal>enforce</goal></goals>
<configuration>
<rules>
<checkSignatureRule implementation="org.codehaus.mojo.animal_sniffer.enforcer.CheckSignatureRule">
<signature>
<groupId>org.codehaus.mojo.signature</groupId>
<!-- Check against Java 8 API -->
<artifactId>java18</artifactId>
<version>1.0</version>
</signature>
</checkSignatureRule>
</rules>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>3.2.7</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals> <goal>sign</goal> </goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-install-plugin</artifactId>
<version>3.1.4</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>3.4.2</version>
<configuration>
<archive>
<manifest>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
<addDefaultSpecificationEntries>true</addDefaultSpecificationEntries>
</manifest>
</archive>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.11.2</version>
<configuration>
<source>8</source>
<doclint>none</doclint> <!-- none, missing, simple, or all -->
</configuration>
<!-- generate esapi-VERSION.javadoc.jar -->
<executions>
<execution>
<id>attach-javadocs</id>
<phase>package</phase>
<goals><goal>jar</goal></goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
<version>3.6.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<version>3.27.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>3.9.0</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>3.3.1</version>
</plugin>
<plugin>
<!-- Note: This uses the maven-fluido-skin version specified next.
The skin is referenced in src/site/site.xml. -->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-site-plugin</artifactId>
<version>4.0.0-M16</version>
<dependencies>
<dependency>
<groupId>org.apache.maven.skins</groupId>
<artifactId>maven-fluido-skin</artifactId>
<version>${version.fluido}</version>
</dependency>
</dependencies>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>3.3.1</version>
<executions>
<execution>
<id>attach-sources</id>
<phase>package</phase>
<goals><goal>jar-no-fork</goal></goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>${version.surefire}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
<version>${version.surefire}</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>cobertura-maven-plugin</artifactId>
<version>2.7</version>
<configuration>
<formats>
<format>html</format>
<format>xml</format>
</formats>
</configuration>
</plugin>
<plugin>
<groupId>io.github.jiangxincode</groupId>
<artifactId>jdepend-maven-plugin</artifactId>
<version>2.1</version>
</plugin>
<plugin>
<groupId>org.eluder.coveralls</groupId>
<artifactId>coveralls-maven-plugin</artifactId>
<version>4.3.0</version>
</plugin>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<!-- Version 12.x is the latest, but 10.0.4 is the latest that we can use beccause 11.x has a breaking
change that requires Java 11 or later and our mimimal JDK is Java 8.
-->
<!-- Note: As of 2025-05-18, I (kwwall) unable to get:
$ mvn -B org.owasp:dependency-check-maven:check
to work with OpenJDK 8 even though this same version of the Dependency Check plugin worked the previous
ESAPI release last November. I do not have time presently to track the reason for this down, but will
try to follow up with the OWASP Depencency Check team. In the meantime, I thought I would mention it
in case someone else tried it and ran into the problem. It is non-essential though, since I also use
GHAS Dependabot and Snyk SCA tools to monitor unpatched vulnerabilities in ESAPI dependencies.
-->
<version>10.0.4</version>
<configuration>
<nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
<failBuildOnCVSS>1.0</failBuildOnCVSS>
<suppressionFiles>./suppressions.xml</suppressionFiles>
</configuration>
<executions>
<execution>
<goals>
<goal>purge</goal>
<!-- <goal>check</goal> -->
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
<reporting>
<plugins>
<plugin>
<groupId>io.github.weblegacy</groupId>
<artifactId>taglib-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-changelog-plugin</artifactId>
<configuration>
<issueIDRegexPattern>[Ii]ssue[# ]*(\d)+</issueIDRegexPattern>
<issueLinkUrl>https://github.com/ESAPI/esapi-java-legacy/issues/%ISSUE%</issueLinkUrl>
<type>date</type>
<dates>
<!-- TODO: Be sure to update. Should be date of 10revious official release -->
<!-- Exact date should be in previous release notes file under 'documentation/' directory. -->
<date>${date.prev_release}</date>
</dates>
</configuration>
</plugin>
<plugin>
<!-- Generate /site/apidocs and /site/testapidocs -->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<configuration>
<doclint>none</doclint>
<source>8</source>
<failOnError>true</failOnError>
<failOnWarnings>true</failOnWarnings>
</configuration>
</plugin>
<plugin>
<!-- This plugin required in reporting section, as other maven reporting plugins use the Source XRef this plugin generates.
Without it, you get these errors when running mvn site: [WARNING] Unable to locate Source XRef to link to - DISABLED -->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jxr-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>
<configuration>
<targetJdk>${project.java.target}</targetJdk>
<sourceEncoding>utf-8</sourceEncoding>
<!-- excludeFromFailureFile>exclude-pmd.properties</excludeFromFailureFile -->
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<reportSets>
<reportSet>
<reports>
<report>index</report>
<report>dependency-convergence</report>
</reports>
</reportSet>
</reportSets>
<configuration>
<!-- setting this is supposed to make generating this report much faster, but didn't affect me without it, so I turned it off (DRW) -->
<!-- dependencyLocationsEnabled>false</dependencyLocationsEnabled -->
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-report-plugin</artifactId>
</plugin>
<plugin>
<!-- Using this introduces these errors: Skipped "JDepend" report (jdepend-maven-plugin:2.0:generate), file "jdepend-report.html" already exists.
but don't know how to eliminate them, without disabling this plugin. -->
<groupId>io.github.jiangxincode</groupId>
<artifactId>jdepend-maven-plugin</artifactId>
</plugin>
<!-- Check for available updates to dependencies and report on them. -->
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>versions-maven-plugin</artifactId>
<reportSets>
<reportSet>
<reports>
<report>dependency-updates-report</report>
<report>plugin-updates-report</report>
<report>property-updates-report</report>
</reports>
</reportSet>
</reportSets>
</plugin>
</plugins>
</reporting>
<profiles>
<profile>
<!-- Activate to sign jars and build distributable download. -->
<id>dist</id>
<!-- This profile is activated when mvn release:perform is called from the command line
to actually do a release. If you need this profile active for some reason outside
of performing a release, use mvn <command> -Pdist
-->
<activation>
<property>
<name>performRelease</name>
<value>true</value>
</property>
</activation>
<build>
<plugins>
<plugin>
<artifactId>maven-jar-plugin</artifactId>
<!--
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
-->
<configuration>
<!--
<keystore>codesign.keystore</keystore>
<alias>OWASP Foundation, Inc.'s GoDaddy.com ID</alias>
<verify>true</verify>
-->
<archive>
<manifest>
<addDefaultImplementationEntries>true</addDefaultImplementationEntries>
<addDefaultSpecificationEntries>true</addDefaultSpecificationEntries>
</manifest>
<manifestEntries>
<Sealed>true</Sealed>
</manifestEntries>
</archive>
</configuration>
</plugin>
<!-- For building the distribution zip file. -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-assembly-plugin</artifactId>
<configuration>
<descriptors>
<descriptor>src/main/assembly/dist.xml</descriptor>
</descriptors>
</configuration>
<executions>
<execution>
<id>make-dist</id>
<phase>package</phase>
<goals>
<goal>single</goal>
</goals>
</execution>
</executions>
</plugin>
<!-- Performs a full release. See release documentation for information on how to
perform an ESAPI release using Maven -->
<!--
mvn release:prepare was not working as expected, so I'm commenting this out and we
are doing all this SCM magic manually for now. - kevin wall, 2019-04-09
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-release-plugin</artifactId>
<configuration>
<tagBase>https://github.com/ESAPI/esapi-java-legacy/tags</tagBase>
</configuration>
</plugin>
-->
</plugins>
</build>
</profile>
<profile>
<id>jakarta</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.eclipse.transformer</groupId>
<artifactId>transformer-maven-plugin</artifactId>
<version>0.5.0</version> <!-- 1.0.0 is available, but requires newer JDK than ESAPI minimum. -->
<extensions>true</extensions>
<configuration>
<rules>
<jakartaDefaults>true</jakartaDefaults>
</rules>
</configuration>
<executions>
<execution>
<id>default-jar</id>
<goals>
<goal>jar</goal>
</goals>
<configuration>
<classifier>jakarta</classifier>
<artifact>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>${project.version}</version>
</artifact>
</configuration>
</execution>
<execution>
<id>javadoc-jar</id>
<goals>
<goal>jar</goal>
</goals>
<configuration>
<skip>false</skip>
<classifier>jakarta-javadoc</classifier>
<artifact>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>${project.version}</version>
<classifier>javadoc</classifier>
</artifact>
</configuration>
</execution>
<execution>
<id>source-jar</id>
<goals>
<goal>jar</goal>
</goals>
<configuration>
<skip>false</skip>
<classifier>jakarta-sources</classifier>
<artifact>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>${project.version}</version>
<classifier>sources</classifier>
</artifact>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>