Very old package bsh being used in org.owasp.esapi:esapi
14 views
Skip to first unread message
Sarthak Mehta
Feb 12, 2025, 1:37:09 PMFeb 12
to ESAPI Project Users
Hi,
Are there any plans to remove org.apache-extras.beanshell:bsh from org.owasp.esapi:esapi as this is very old and no new updates are being added to it since 2016
Thanks,
Sarthak Mehta
Are there any plans to remove org.apache-extras.beanshell:bsh from org.owasp.esapi:esapi as this is very old and no new updates are being added to it since 2016
Thanks,
Sarthak Mehta
Kevin W. Wall
Feb 12, 2025, 11:21:30 PMFeb 12
to Sarthak Mehta, ESAPI Project Users
Hi Sarthak,
I did a little research. There actually is a newer version of bsh jar from Dec 2, 2022. See:
for details. It is declared as the last release on the 2.x branch. Every time I do an ESAPI release, I run a check that looks for newer versions of jars. Nothing in Maven Central lists a newer version than the 2.0b6 version. (For details, see https://mvnrepository.com/artifact/org.apache-extras.beanshell/bsh.) Apparently, they just haven't been uploading new releases to Maven Central.
If you want to create a PR to download bsh-2.1.1.jar from some other reputable repo, be my guest, but we are not going to simply remove it from ESAPI unless there are known exploitable vulnerabilities in it. (At least I have not seen any such evidence from any of the 4 SCA tools that I monitor.)
Bsh is used by ESAPI's WAF. In particular, the bsh interpreter interacts through the ESAPI WAF's org.owasp.esapi.waf.rules.BeanShellRule class. The main class for the ESAPI WAF is org.owasp.esapi.waf.
org.owasp.esapi.waf.ESAPIWebApplicationFirewallFilter, so if you are not using that class, even if there were vulnerabilities in bsh-2.0b6.jar, they wouldn't affect you. However, if we removed that as a dependency, we would have to remove BeanShellRule and thus potentially break someone's code that is using it. And that is not something that I am not going to do without a good reason.
Hey, I'm way older than 2016 and AFAIK, there are no upgrades planned for me, so I hope that someone doesn't plan on removing me simply because I am "old". This old dinosaur is still kicking.
Best regards,-kevin--
Blog: https://off-the-wall-security.blogspot.com/ | GitHub: @kwwall | OWASP ESAPI Project co-lead | OWASP and ACM lifetime member
NSA: All your crypto bit are belong to us.
--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/7535337b-d846-4dd2-967d-8ff450a4fe11n%40owasp.org.
Reply all
Reply to author
Forward
0 new messages