From aa0670ef2f590367e8598d0b62ce075be3618f58 Mon Sep 17 00:00:00 2001 From: kwwall Date: Mon, 25 Nov 2024 21:00:34 -0500 Subject: [PATCH 01/10] Modifying pom.xml for next planned release. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index fa1a3d1a9..e5b99b918 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 org.owasp.esapi esapi - 2.6.0.0 + 2.7.0.0-SNAPSHOT jar From 6422acaa1f8f144022259160eaccc6553e077d93 Mon Sep 17 00:00:00 2001 From: "Kevin W. Wall" Date: Sat, 30 Nov 2024 16:36:35 -0500 Subject: [PATCH 02/10] Update SECURITY.md Note 2.6.0.0 as the current release. --- SECURITY.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index a8d99638f..4945f7338 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,8 +12,8 @@ but if it is anything but trivial, we would charge a TBD consulting fee. | Version | Supported | | ------- | ------------------ | -| 2.5.5.0 (latest) | :white_check_mark: | -| 2.1.0.1-2.5.4.0 | :x:, upgrade to latest release | +| 2.6.0.0 (latest) | :white_check_mark: | +| 2.1.0.1-2.5.5.0 | :x:, upgrade to latest release | | <= 1.4.x | :x:, no longer supported AT ALL | ## Reporting a Vulnerability From 5f267f7d6a8bd4748c053aaa0d9e045c824ca1cc Mon Sep 17 00:00:00 2001 From: "Kevin W. Wall" Date: Tue, 13 May 2025 04:58:18 -0400 Subject: [PATCH 03/10] fix: pom.xml to reduce vulnerabilities (#875) The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHTTPCOMPONENTSCLIENT5-9804209 Co-authored-by: snyk-bot --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index e5b99b918..dc8c4ff78 100644 --- a/pom.xml +++ b/pom.xml @@ -243,7 +243,7 @@ org.owasp.antisamy antisamy - 1.7.7 + 1.7.8 From 2f7885fc66350c8eb706005188584ceec5baa6d6 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sun, 18 May 2025 15:49:16 -0400 Subject: [PATCH 04/10] New release notes for ESAPI 2.6.1.0 --- .../esapi4java-core-2.6.1.0-release-notes.txt | 189 ++++++++++++++++++ 1 file changed, 189 insertions(+) create mode 100644 documentation/esapi4java-core-2.6.1.0-release-notes.txt diff --git a/documentation/esapi4java-core-2.6.1.0-release-notes.txt b/documentation/esapi4java-core-2.6.1.0-release-notes.txt new file mode 100644 index 000000000..7f3c0a88b --- /dev/null +++ b/documentation/esapi4java-core-2.6.1.0-release-notes.txt @@ -0,0 +1,189 @@ +Release notes for ESAPI 2.6.1.0 + Release date: 2025-05-18 + Project leaders: + -Kevin W. Wall + -Matt Seil + +Previous release: ESAPI 2.6.0.0, 2024-11-25 + + +Executive Summary: Important Things to Note for this Release +------------------------------------------------------------ +This is a patch release with the primary intent of updating the AntiSamy dependency from v1.7.7 to v1.7.8. Among other fixes, AntiSamy 1.7.8 updated HttpClient 5.x to address CVE-2025-27820, which potentially could affect ESAPI users if they had customized their aAntiSamy Policy File (by default, antisamy-esapi.xml) to allow certain CSS constructs. (The default policy file does not allow CSS markup at all, and I don't believe that it would be exploitable via ESAPI.) + + +Notes if you are not updating from the immediate previous release. release 2.6.0.0: + * You need to read through the series of release notes FIRST, going in order. + * For example, if you were updating from an older ESAPI release (say, 2.3.0.0), you should go back and FIRST read all the subsequent release notes in turn. For instance, if you are currently on release 2.3.0.0 and upgrading to (say) release 2.x.y.z, you should MINIMALLY read the sections "Changes Requiring Special Attention" in each of the subsequent release notes. So, going from release 2.3.0.0 to 2.x.y.z, you should in turn, read: + + esapi4java-core-2.4.0.0-release-notes.txt + esapi4java-core-2.5.0.0-release-notes.txt + esapi4java-core-2.5.1.0-release-notes.txt + esapi4java-core-2.5.2.0-release-notes.txt + ...etc., up through the current set of release notes... + esapi4java-core-2.x.y.z-release-notes.txt + +in that order. YOU HAVE BEEN WARNED!!! (These release notes are too large to put all this in a given document; very few read them thoroughly as it is.) + +If your SCA tool is reporting any CVE from a direct or transitive dependency in ESAPI, before reporting it as an GitHub issue, please make sure that you review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md. Please email us or contact us in our GitHub Discussions page if you have questions about this. See also the SECURITY.md file to report any security issues with ESAPI. + +You are encouraged to review the vulnerability analysis written up in https://github.com/ESAPI/esapi-java-legacy/blob/develop/Vulnerability-Summary.md and email us or contact us in our GitHub Discussions page if you have questions. + + +================================================================================================================= + +Basic ESAPI facts +----------------- + +ESAPI 2.6.0.0 release: + 207 Java source files + 4312 JUnit tests in 133 Java source files + +ESAPI 2.6.1.0 release: + 207 Java source files + 4312 JUnit tests in 133 Java source files + +9 GitHub Issues closed in this release, including those we've decided not to fix (marked 'wontfix' and 'falsepositive'). +(Reference: https://github.com/ESAPI/esapi-java-legacy/issues?q=is%3Aissue+state%3Aclosed+updated%3A%3E%3D2024-11-25) + +Issue # GitHub Issue Title +---------------------------------------------------------------------------------------------- +204 DefalutValidator.isValidSafeHTML() doesn't work - bug, Component-Validator, imported, Milestone-Release2.2, Priority-Medium, wontfix +838 Getting org.owasp.esapi.errors.ConfigurationException: java.lang.reflect.InvocationTargetException Encoder class (org.owasp.esapi.reference.DefaultEncoder) CTOR threw exception. - bug, wontfix +858 Fail to run Linux command with double quotes using executeSystemCommand - question, ConvertedToDiscussion +859 Remove deprecated Validator.isValidSafeHTML methods - bug (Note: fixed in previous release, 2.6.0.0) +863 2.6.0.0 still using javax HttpServletRequest - enhancement, falsepositive +867 How to turn off ESAPI logs or change its log level - question, ConvertedToDiscussion +868 Do not depend on commons-collections4 milestone (use 4.4 instead) - bug, Vulnerable Dependencies, wontfix +874 jakarta.servlet-api 5.0(Jakarta EE 9) change the package name from javax.xxx to jakarta.xxxx - enhancement, duplicate, NothingToFixHere +876 Upgrade version of antisamy to 1.7.8 to update transitive dependency affected by CVE-2025-27820 - enhancement, duplicate, NothingToFixHere + +----------------------------------------------------------------------------- + + Changes Requiring Special Attention + +----------------------------------------------------------------------------- +Important JDK Support Announcement +* ESAPI 2.3.0.0 was the last Java release to support Java 7. ESAPI 2.4.0 requires using Java 8 or later. See the ESAPI 2.4.0.0 release notes (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.4.0.0-release-notes.txt) for details as to the reason. + - This means if your project requires Java 7, you must use ESAPI 2.3.0.0 or earlier. + +Important ESAPI Logging Changes + +* Since ESAPI 2.5.0.0, support for logging directly via Log4J 1 has been removed. (This was two years after it haveing first been deprecated.) Thus, you only choice of ESAPI logging are + - java.util.logging (JUL), which as been the default since ESAPI 2.2.1.0. + * Set ESAPI.Logger=org.owasp.esapi.logging.java.JavaLogFactory in your ESAPI.properties file. + - SLF4J (which your choice of supported SLF4J logging implemmentation) + * Set ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory in your ESAPI.properties file. +* Logger configuration notes - If you are migrating from prior to ESAPI 2.2.1.1, you will need to update your ESAPI.properties file as logging-related configuration as per the ESAPI 2.2.1.1 release notes, which may be found at: + https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.1.1-release-notes.txt#L39-L78 + +If you use ESAPI 2.5.0.0 or later, you will get an ClassNotFoundException as the root cause if you still have your ESAPI.Logger property set to use Log4J because the org.owasp.esapi.logger.log4j.Log4JFactory class has been completely removed from the ESAPI jar. If you are dead set on continuing to use Log4J 1, you ought to be able to do so via SLF4J. The set up for Log4J 1 (which has not be tested), should be similar to configure ESAPI to use SLF4J with Log4J 2 as described here: + https://github.com/ESAPI/esapi-java-legacy/wiki/Using-ESAPI-with-SLF4J#slf4j-using-log4j-2x + +----------------------------------------------------------------------------- + + Remaining Known Issues / Problems + +----------------------------------------------------------------------------- +None known, other than the remaining open issues on GitHub. + +----------------------------------------------------------------------------- + + Other changes in this release, some of which not tracked via GitHub issues + +----------------------------------------------------------------------------- + +* Changes since last release 2.6.0.0 and 2.6.1.0, i.e., changes between 2025-11-25 and 2025-05-18. + + Note: I am no longer going to provide the 'Developer Activity Report' that I used to this manually create in tabluar form. This is in part because I use to use 'mvn site' to assist with its creation, but neither the 'Developer Activiity' nor 'File Activity' sections of the 'mvn site' output is currently working. + + That said, I don't care as this was always a major PITA and I think it had dubious value to start with. + + Therefore, I am replacing it to a stock GitHub tag comparison of the current and previous release, which I can automate. + + Please see, + + https://github.com/ESAPI/esapi-java-legacy/compare/esapi-2.6.0.0...esapi-2.6.1.0 + + for details. It contains all the information that the previous 'Developer Activity Reports' did and then some. + + +CHANGELOG: Create your own. May I suggest: + + git log --stat --since=2024-11-25 --reverse --pretty=medium + + which will show all the commits since just after the previous (2.6.0.0) release. + + Alternately, you can download the most recent ESAPI source and run + + mvn site + + which will create a CHANGELOG file named 'target/site/changelog.html' + + +----------------------------------------------------------------------------- + +Direct and Transitive Runtime and Test Dependencies: + + $ mvn -B dependency:tree + ... + [INFO] --- maven-dependency-plugin:3.8.1:tree (default-cli) @ esapi --- + [INFO] org.owasp.esapi:esapi:jar:2.6.1.0 + [INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided + [INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided + [INFO] +- xom:xom:jar:1.3.9:compile + [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile + [INFO] | +- commons-logging:commons-logging:jar:1.2:compile + [INFO] | \- commons-collections:commons-collections:jar:3.2.2:compile + [INFO] +- commons-configuration:commons-configuration:jar:1.10:compile + [INFO] +- commons-lang:commons-lang:jar:2.6:compile + [INFO] +- commons-fileupload:commons-fileupload:jar:1.5:compile + [INFO] +- org.apache.commons:commons-collections4:jar:4.5.0-M2:compile + [INFO] +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile + [INFO] +- org.owasp.antisamy:antisamy:jar:1.7.8:compile + [INFO] | +- commons-io:commons-io:jar:2.19.0:compile + [INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.4.4:compile + [INFO] | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.3.4:compile + [INFO] | +- org.apache.httpcomponents.core5:httpcore5:jar:5.3.4:compile + [INFO] | +- org.apache.xmlgraphics:batik-css:jar:1.19:compile + [INFO] | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.19:compile + [INFO] | | +- org.apache.xmlgraphics:batik-util:jar:1.19:compile + [INFO] | | | +- org.apache.xmlgraphics:batik-constants:jar:1.19:compile + [INFO] | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.19:compile + [INFO] | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.11:compile + [INFO] | +- org.htmlunit:neko-htmlunit:jar:4.11.0:compile + [INFO] | +- xerces:xercesImpl:jar:2.12.2:compile + [INFO] | \- xml-apis:xml-apis-ext:jar:1.3.04:compile + [INFO] +- org.slf4j:slf4j-api:jar:2.0.16:compile + [INFO] +- xml-apis:xml-apis:jar:1.4.01:compile + [INFO] +- com.github.spotbugs:spotbugs-annotations:jar:4.9.3:compile (optional) + [INFO] | \- com.google.code.findbugs:jsr305:jar:3.0.2:compile (optional) + [INFO] +- commons-codec:commons-codec:jar:1.17.1:test + [INFO] +- junit:junit:jar:4.13.2:test + [INFO] +- org.bouncycastle:bcprov-jdk18on:jar:1.78.1:test + [INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test + [INFO] | \- org.hamcrest:hamcrest:jar:2.2:test + [INFO] +- org.powermock:powermock-api-mockito2:jar:2.0.9:test + [INFO] | \- org.powermock:powermock-api-support:jar:2.0.9:test + [INFO] +- org.mockito:mockito-core:jar:3.12.4:test + [INFO] | +- net.bytebuddy:byte-buddy:jar:1.11.13:test + [INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.11.13:test + [INFO] | \- org.objenesis:objenesis:jar:3.2:test + [INFO] +- org.powermock:powermock-core:jar:2.0.9:test + [INFO] | \- org.javassist:javassist:jar:3.27.0-GA:test + [INFO] +- org.powermock:powermock-module-junit4:jar:2.0.9:test + [INFO] | \- org.powermock:powermock-module-junit4-common:jar:2.0.9:test + [INFO] +- org.powermock:powermock-reflect:jar:2.0.9:test + [INFO] \- org.openjdk.jmh:jmh-core:jar:1.37:test + [INFO] +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:test + [INFO] \- org.apache.commons:commons-math3:jar:3.6.1:test + [INFO] ------------------------------------------------------------------------ + +----------------------------------------------------------------------------- + +Acknowledgments: + A special thanks to the AntiSamy team in getting a new AntiSamy release out in short order. And thanks to Matt Seil, Jeremiah Stacey, and all the ESAPI users who make this worthwhile. This is for you. + +A special thanks to the ESAPI community from the ESAPI project co-leaders: + Kevin W. Wall (kwwall) <== The irresponsible party for these release notes! + Matt Seil (xeno6696) From 14678f6d7e122b4a14459e68f28549497a158640 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sun, 18 May 2025 15:50:43 -0400 Subject: [PATCH 05/10] Env vars for new ESAPI version --- scripts/vars.2.6.1.0 | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 scripts/vars.2.6.1.0 diff --git a/scripts/vars.2.6.1.0 b/scripts/vars.2.6.1.0 new file mode 100644 index 000000000..fba98e28d --- /dev/null +++ b/scripts/vars.2.6.1.0 @@ -0,0 +1,14 @@ +# Do NOT edit this file directly. It will be created by the new createVarsFile.sh script, +# which should be run prior to the newReleaseNotes.sh script. + +# ESAPI (new / current) version +VERSION=2.6.1.0 + +# Previous ESAPI version +PREV_VERSION=2.6.0.0 + +# Release date of current version in yyyy-mm-dd format +YYYY_MM_DD_RELEASE_DATE=2025-05-18 + +# Previous ESAPI release date in same format +PREV_RELEASE_DATE=2024-11-25 From 2904144eac396c8cf01df150a8006add0aea34c5 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sun, 18 May 2025 15:52:07 -0400 Subject: [PATCH 06/10] Changes to replace manually created Developer Activity Report with a simple GitHub comparision. --- ...esapi4java-core-TEMPLATE-release-notes.txt | 27 ++++++++----------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/scripts/esapi4java-core-TEMPLATE-release-notes.txt b/scripts/esapi4java-core-TEMPLATE-release-notes.txt index 3aabe5d38..d03f64be6 100644 --- a/scripts/esapi4java-core-TEMPLATE-release-notes.txt +++ b/scripts/esapi4java-core-TEMPLATE-release-notes.txt @@ -98,24 +98,19 @@ None known, other than the remaining open issues on GitHub. ----------------------------------------------------------------------------- -* Minor updates to README.md file with respect to version information. +* Changes since last release ${PREV_VERSION} and ${VERSION}, i.e., changes between ${PREV_RELEASE_DATE} and ${YYYY_MM_DD_RELEASE_DATE}). ------------------------------------------------------------------------------ + Note: I am no longer going to provide the 'Developer Activity Report' that I used to this manually create in tabluar form. This is in part because I use to use 'mvn site' to assist with its creation, but neither the 'Developer Activiity' nor 'File Activity' sections of the 'mvn site' output is currently working. + + That said, I don't care as this was always a major PITA and I think it had dubious value to start with. + + Therefore, I am replacing it to a stock GitHub tag comparison of the current and previous release, which I can automate. + + Please see, + + https://github.com/ESAPI/esapi-java-legacy/compare/esapi-${PREVIOUS_VERSION}...esapi-${VERSION} -Developer Activity Report (Changes between release ${PREV_VERSION} and ${VERSION}, i.e., between ${PREV_RELEASE_DATE} and ${YYYY_MM_DD_RELEASE_DATE}) -Generated manually (this time) -- all errors are the fault of kwwall and his inability to do simple arithmetic. - -@@@@ -@@@@ This section needs to be manually updated. -@@@@ -Developer Total Total Number # Merged -(GitHub ID) commits of Files Changed PRs -======================================================== -jeremiahjstacey 8 6 1 -dependabot 1 1 1 -kwwall 7 8 0 -======================================================== - Total PRs: 2 + for details. It contains all the information that the previous 'Developer Activity Reports' did and then some. ----------------------------------------------------------------------------- From a34b00d8cf4b54f535b1bb6e5d0387e1b78b9fc8 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sun, 18 May 2025 15:53:09 -0400 Subject: [PATCH 07/10] Changes for new release, 2.6.1.0 --- pom.xml | 47 ++++++++++++++++++++++++++--------------------- 1 file changed, 26 insertions(+), 21 deletions(-) diff --git a/pom.xml b/pom.xml index dc8c4ff78..179304674 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,7 @@ 4.0.0 org.owasp.esapi esapi - 2.7.0.0-SNAPSHOT + 2.6.1.0 jar @@ -132,16 +132,16 @@ UTF-8 1.37 2.0.0-M3 - 2.0.0-M11 + 2.0.0-M11 2.0.9 - 4.8.6 - 4.8.6.6 - 3.5.2 + 4.9.3 + 4.9.3.0 + 3.5.3 1.8 - 2024-10-08 00:00:00 + 2024-11-25 00:00:00 @@ -408,7 +408,7 @@ org.apache.maven.plugins maven-dependency-plugin - 3.8.0 + 3.8.1 org.apache.maven.plugins @@ -418,7 +418,7 @@ org.codehaus.mojo versions-maven-plugin - 2.17.1 + 2.18.0 file:${project.basedir}/versionRuleset.xml @@ -431,7 +431,7 @@ org.cyclonedx cyclonedx-maven-plugin - 2.8.2 + 2.9.1 package @@ -467,19 +467,24 @@ org.apache.maven.plugins maven-changelog-plugin - 2.3 + + 3.0.0-M1 org.apache.maven.plugins maven-clean-plugin - 3.4.0 + 3.4.1 org.apache.maven.plugins maven-compiler-plugin - 3.13.0 + 3.14.0 ${project.java.target} ${project.java.target} @@ -513,7 +518,7 @@ org.apache.maven.plugins maven-deploy-plugin - 3.1.3 + 3.1.4 @@ -533,7 +538,7 @@ org.codehaus.mojo extra-enforcer-rules - 1.9.0 + 1.10.0 org.codehaus.mojo @@ -615,7 +620,7 @@ org.apache.maven.plugins maven-install-plugin - 3.1.3 + 3.1.4 @@ -635,7 +640,7 @@ org.apache.maven.plugins maven-javadoc-plugin - 3.10.1 + 3.11.2 8 none @@ -653,19 +658,19 @@ org.apache.maven.plugins maven-jxr-plugin - 3.5.0 + 3.6.0 org.apache.maven.plugins maven-pmd-plugin - 3.25.0 + 3.26.0 org.apache.maven.plugins maven-project-info-reports-plugin - 3.7.0 + 3.9.0 @@ -740,7 +745,7 @@ org.owasp dependency-check-maven - 10.0.4 @@ -776,7 +781,7 @@ https://github.com/ESAPI/esapi-java-legacy/issues/%ISSUE% date - + ${date.prev_release} From 99f551040c5dde5c482a1a9ce1e8c835bbb0f865 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sun, 18 May 2025 21:23:03 -0400 Subject: [PATCH 08/10] Added comment about how OWASP Dependency Check is no longer working in case someone else runs into the problem. --- pom.xml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/pom.xml b/pom.xml index 179304674..59d7be72c 100644 --- a/pom.xml +++ b/pom.xml @@ -748,6 +748,14 @@ + <-- Note: As of 2025-05-18, I (kwwall) unable to get: + $ mvn -B dependency:tree + to work with OpenJDK 8 even though this same version of the Dependency Check plugin worked the previous + ESAPI release last November. I do not have time presently to track the reason for this down, but will + try to follow up with the OWASP Depencency Check team. In the meantime, I thought I would mention it + in case someone else tried it and ran into the problem. It is non-essential though, since I also use + GHAS Dependabot and Snyk SCA tools to monitor unpatched vulnerabilities in ESAPI dependencies. + --> 10.0.4 ${env.NVD_API_KEY} From 5c0553c8c25b97292ed700f967df856c3bb8c345 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sun, 18 May 2025 21:44:55 -0400 Subject: [PATCH 09/10] Fix botched comment. --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 59d7be72c..79e6f1e49 100644 --- a/pom.xml +++ b/pom.xml @@ -748,14 +748,14 @@ - <-- Note: As of 2025-05-18, I (kwwall) unable to get: + + --> 10.0.4 ${env.NVD_API_KEY} From e0ef29556f1bf7fbaf4d6ad94899db3e9d431f90 Mon Sep 17 00:00:00 2001 From: kwwall Date: Sun, 18 May 2025 21:52:48 -0400 Subject: [PATCH 10/10] Sigh. Fix comment again. This one was copy/paste error. --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 79e6f1e49..5da4fd7e1 100644 --- a/pom.xml +++ b/pom.xml @@ -749,7 +749,7 @@ change that requires Java 11 or later and our mimimal JDK is Java 8. -->