0

I want to use ESAPI in my project and have added following dependency in the pom.xml

pom.xml with dependency:

            <dependency>
                <groupId>org.owasp.encoder</groupId>
                <artifactId>encoder</artifactId>
                <version>1.2.3</version>
            </dependency>
            <dependency>
                <groupId>org.owasp.esapi</groupId>
                <artifactId>esapi</artifactId>
                <version>2.5.0.0</version>
            </dependency>

But when I import org.owasp.esapi.* intellij give me warning as shown in image. enter image description here

I want to use ESAPI logger to prevent CRLF injection possibilities in log statements. My current project uses slf4j.Logger

I am very new to this ESAPI and OWASP and have never used it and have tried from here https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#configuring-esapi-to-use-slf4j

Please tell me if im doing something wrong and how to correctly use ESAPI in project.

jdk
  • 451
  • 1
  • 6
  • 18

2 Answers2

1

Hmm. What JDK are you using with IntelliJ? Java 8 or later is required as of 2.4.0.0. That's the only thing that I can think of that would cause this behavior. Looks okay otherwise. Did you check if the esapi-2.5.0.0.jar got pulled down? Because it's either not finding that or it's not compatible with the Java version that your IntelliJ IDE is using.

Kevin W. Wall
  • 1,347
  • 7
  • 7
  • i'm using jdk8 and and my pom.xml file doesn't show me error for dependency when synced, i checked in external libraries in project structure and it is not present there. also checked local repository in .m2 not there also, not sure why it is not being downloaded in local repo – jdk Nov 03 '22 at 04:05
0

Well i found that I was adding this dependency in <dependencyManagement> tag instead of <dependencies> tag, that's why it wasn't downloading from the repository.

Previous:

<dependencyManagement>
  <dependencies>
    <dependency>
        <groupId>org.owasp.esapi</groupId>
        <artifactId>esapi</artifactId>
        <version>2.5.0.0</version>
    </dependency>
  </dependencies>
</dependencyManagement>

after fix:

  <dependencies>
    <dependency>
        <groupId>org.owasp.esapi</groupId>
        <artifactId>esapi</artifactId>
        <version>2.5.0.0</version>
    </dependency>
  </dependencies>

Whats the difference in <dependencies> and <dependencyManagement> please refer this Differences between dependencyManagement and dependencies in Maven

jdk
  • 451
  • 1
  • 6
  • 18
  • 1
    Ah, glad you figured it out. Based on the context of what you originally showed, it wasn't obvious that this was in the section, but the fact that the ESAPI jar wasn't showing up in your local Maven cache under $HOME/.m2 was a good clue. – Kevin W. Wall Nov 04 '22 at 12:59
  • yes, it was by your suggestion about the pulling jar that i went deeper and found the actual problem. Thanks for your finding. Otherwise it was very frustrating why it was not downloading. Thanks! – jdk Nov 05 '22 at 14:14