Kevin W. Wall
Kevin W. Wall
So, in other words, Eclipse is still using technology from 1999 even though Java now includes the concepts of Java Modules in Java 9 which should address most of those...
> I have to figure out forcing it to trigger, then I'll generate a PR. As long as it automatically runs as part of 'mvn package' that should be sufficient....
Regarding log4j1, you know that you can just exclude it from your builds, right? All the security bulletins relevant to log4j1 show how to do this. And log4j1 isn't really...
Well, we definitely are **_NOT_** going down any NDA path. I think that goes against all the transparency that OWASP tries to stand for. And as far as the BOM...
Priority set to Low because using either of those older links results in a redirect to https://owasp.org/www-project-enterprise-security-api/.
Looking at this again, the simple thing would be to log something directly from `CipherSpec`, but I'd prefer not to tightly couple that class with the ESAPI Logger for that...
The only group of people that I think who would benefit from that in ESAPI 2.x are those who are _only_ using canonicalization. That's too little benefit to too little...
@forgedhallpass - The one thing that I'm not sure you are considering is ESAPI is a _library_ so unlike an application, we can't just arbitrarily refactor the code. Backward compatibility...
@forgedhallpass - I would like to respond to your last comment, point by point, but unfortunately, I find this forum of GitHub comments to something this complex to be somewhat...
@xeno6696 - What you wrote makes sense, but I would think there are a lot of things in ESAPI like this because of all those singletons everywhere. Maybe FindSecBugs should...