Merge pull request #187 : Add Java security libraries

Author: jgadsden

.github/dependabot.yml

@@ -12,8 +12,8 @@ updates:
         patterns:
           - "*"
         update-types:
-          - "minor"
           - "patch"
+          - "minor"
       security-update:
         applies-to: security-updates
         patterns:

.github/workflows/ci.yaml

@@ -23,7 +23,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Link Checker
-        uses: lycheeverse/lychee-action@v2.7.0
+        uses: lycheeverse/lychee-action@v2.8.0
         with:
           args: >-
             --no-progress
@@ -73,7 +73,7 @@ jobs:
       # rojopolis/spellcheck-github-actions does not support PT-BR,
       # only PT, and PT-BR is too different to pass a PT spellcheck
       - name: Set up Python for PT-BR
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: '3.10'
 
@@ -96,7 +96,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Install python
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: 3.x
 
@@ -130,7 +130,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Install python
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: 3.x
 

.github/workflows/housekeeping.yaml

@@ -25,7 +25,7 @@ jobs:
           keep_minimum_runs: 10
 
       - name: Delete unused workflows
-        uses: otto-de/purge-deprecated-workflow-runs@v4.0.2
+        uses: otto-de/purge-deprecated-workflow-runs@v4.0.3
         with:
           token: ${{ github.token }}
 
@@ -37,7 +37,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Link Checker
-        uses: lycheeverse/lychee-action@v2.7.0
+        uses: lycheeverse/lychee-action@v2.8.0
         with:
           # skip the jekyll files under '_includes' directory, check all other directories
           args: >-
@@ -61,7 +61,7 @@ jobs:
 
     steps:
       - name: Tidy stale PRs and issues
-        uses: actions/stale@v10.1.1
+        uses: actions/stale@v10.2.0
         with:
           days-before-issue-stale: 183
           days-before-issue-close: -1

.github/workflows/pr.yaml

@@ -16,7 +16,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Link Checker
-        uses: lycheeverse/lychee-action@v2.7.0
+        uses: lycheeverse/lychee-action@v2.8.0
         with:
           args: >-
             --exclude 'github\.com/OWASP/DevGuide/blob/main/docs'
@@ -81,7 +81,7 @@ jobs:
       # rojopolis/spellcheck-github-actions does not support PT-BR,
       # only PT, and PT-BR is too different to pass a PT spellcheck
       - name: Set up Python
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: '3.10'
 
@@ -104,7 +104,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Install python
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: 3.x
 
@@ -135,7 +135,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Install python
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: 3.x
 

.github/workflows/release.yaml

@@ -18,7 +18,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Install python
-        uses: actions/setup-python@v6.1.0
+        uses: actions/setup-python@v6.2.0
         with:
           python-version: 3.x
 

.wordlist-en.txt

@@ -162,6 +162,7 @@ LINNDUN
 LLM
 LSMs
 Laravel
+LevelBlue
 Lezza
 LifeCycle
 Lifecycle

.wordlist-es.txt

@@ -263,6 +263,7 @@ leaks
 learning
 left
 Left
+LevelBlue
 LFD
 library
 LINDDUN

docs/en/04-design/01-threat-modeling/01-threat-modeling-project.md

@@ -1,28 +1,29 @@
-The [Threat Model Project][tmproject] is an over-arching project provided by OWASP
+The OWASP [Threat Modeling Project][tmproject] is an over-arching project
 that seeks to inform and guide on the very large domain that is [Threat Modeling][tmptm].
 
 #### What is the Threat Model project?
 
 The Threat Model project is not intended to be a primary source on the threat modeling domain;
 there are already many excellent sources that describe and explain threat modeling that this project does not need to repeat.
 
-Instead the Threat Model project seeks to provide information on [threat modeling techniques][tmpapp]
+Instead the Threat Model project seeks to provide direction on [threat modeling techniques][tmpapp]
 for applications and systems of all types, with a focus on current and emerging techniques.
+To provide this the project intends to collate threat modeling techniques, methodologies, tools and examples.
 
-To do this project intends to gather techniques, methodologies, tools and examples.
-There is also the intention to foster a threat modeling community and support it through initiatives and forums.
+There is also the aim to foster a threat modeling community and support it through initiatives and forums.
 
-Note that much of this is what the project intends to provide in the future.
-As of January 2026 the project is going through a change process that will better provide this information and guidance.
+Note that much of this are intentions for the future;
+as of January 2026 the project is going through a change process that will better provide this information and guidance.
+At present it is at OWASP Incubator status with promotion to Laboratory status expected later in 2026.
 
 #### Why refer to this project?
 
 The [Threat Modeling][tmproject] project is an over-arching project for the other threat modeling projects and resources.
 
 It can be used as a landing page for all things threat modeling;
 the starting point for finding [resources and tools][tmpres] as well as the core concepts.
-For example there is an introduction to Shostack's [Four Question Framework][4QFW],
-that then references the primary source if the user needs to know more.
+For example there is an introduction to Shostack's [Four Question Framework][4QFW]
+that references the primary source if the user needs to know more.
 
 #### OWASP threat modeling projects
 

docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md

@@ -0,0 +1,79 @@
+The OWASP [Java Encoder][java-encoder-project] and OWASP [Java HTML Sanitizer][html-sanitizer-project] projects
+are security libraries for Java web applications that provide output encoding and HTML input sanitization.
+
+The OWASP [JSON Sanitizer][json-sanitizer] Java library is used to ensure both JSON input and output
+are _reasonably_ safe for Java applications.
+
+#### What are they?
+
+Java Encoder package provides the Java application with contextual output encoding of HTML.
+It provides individual methods for HTML, URLs, JavaScript and CSS.
+
+Java HTML Sanitizer is used to sanitize untrusted HTML so that it can be safely handled within a Java application.
+The JAR file is included in a Java application and then a policy is defined for it.
+
+These are both established projects with a regular release history stretching back to 2013.
+
+The JSON Sanitizer is a Java component that will transform arbitrary JSON
+to well-formed JSON as defined by [RFC 4627][rfc4627].
+This can be used to accept JSON input from an untrusted source and then safely output JSON to other processes.
+
+JSON Sanitizer is a widely used library provided by OWASP,
+and it is a direct dependents for many 1000s of other libraries and in many more applications.
+It is a project that was transferred to OWASP in 2021 by github user `mikesamuel`
+and so this OWASP library is identified as `com.mikesamuel:json-sanitizer`.
+
+#### Why use the libraries?
+
+The use of both Java Encoder and Java HTML Sanitizer is part of a defense in depth approach
+to preventing [cross site scripting][csxss] (XSS) and other attacks.
+They are well established OWASP projects with 'Lab' status.
+
+The OWASP [JSON Sanitizer][json-sanitizer] Java library is widely used,
+for example it is a direct dependency for literally [1000s of Java components][json-sanitizer-dependents],
+and should be considered for JSON specific output normalization and input validation.
+It is less well supported than the Java Encoder or Java HTML Sanitizer, version 1.2.2 was released in January 2021,
+but it is still stable and (really) useful.
+
+#### How to use the libraries
+
+Include the Java Encoder package into a Java application [via Maven][java-encoder].
+The '[How to Use the OWASP Java Encoder][java-encoder-usage]' documentation explains how to use it in various contexts,
+such as HTML, URLs, JavaScript and CSS.
+
+Follow the [examples][html-sanitizer-examples] provided by Java HTML Sanitizer
+to include the utility and configure it with policy.
+
+The JSON Sanitizer JAR file can be fetched from Maven Central, follow the [Getting Started][json-sanitizer-usage] guide:
+
+```text
+import com.google.json.JsonSanitizer;
+String wellFormedJson = JsonSanitizer.sanitize(myJsonLikeString);
+```
+
+#### References
+
+* OWASP [Cross Site Scripting prevention][csxss] Cheatsheet
+* OWASP [Java Encoder][java-encoder-github]
+* OWASP [Java HTML Sanitizer][html-sanitizer]
+* OWASP [JSON Sanitizer][json-sanitizer]
+
+----
+
+The OWASP Developer Guide is a community effort; if there is something that needs changing
+then [submit an issue][issue050304] or [edit on GitHub][edit050304].
+
+[csxss]: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet
+[edit050304]: https://github.com/OWASP/DevGuide/blob/main/docs/en/05-implementation/03-secure-libraries/04-java-secure-libs.md
+[html-sanitizer]: https://github.com/OWASP/java-html-sanitizer/releases/latest/
+[html-sanitizer-examples]: https://github.com/OWASP/java-html-sanitizer/tree/main/owasp-java-html-sanitizer/src/main/java/org/owasp/html/examples
+[html-sanitizer-project]: https://owasp.org/www-project-java-html-sanitizer/
+[issue050304]: https://github.com/OWASP/DevGuide/issues/new?labels=content&template=request.md&title=Update:%2005-implementation/03-secure-libraries/04-java-secure-libs
+[java-encoder]: http://search.maven.org/#search%7Cga%7C1%7Cg%3A%22org.owasp.encoder%22
+[java-encoder-github]: https://github.com/OWASP/owasp-java-encoder/releases/latest/
+[java-encoder-project]: https://owasp.org/www-project-java-encoder/
+[java-encoder-usage]: https://owasp.org/www-project-java-encoder/#div-use
+[json-sanitizer]: https://github.com/OWASP/json-sanitizer/releases/latest/
+[json-sanitizer-dependents]: https://central.sonatype.com/artifact/com.mikesamuel/json-sanitizer/dependents
+[json-sanitizer-usage]: https://github.com/OWASP/json-sanitizer/blob/master/docs/getting_started.md
+[rfc4627]: https://www.ietf.org/rfc/rfc4627.txt

docs/en/06-verification/04-vulnerability-management/01-defectdojo.md

@@ -65,7 +65,7 @@ then [submit an issue][issue080401] or [edit on GitHub][edit080401].
 [defectdojo]: https://defectdojo.com/
 [defectdojo-docs]: https://docs.defectdojo.com/
 [defectdojo-docker]: https://github.com/DefectDojo/django-DefectDojo/blob/dev/readme-docs/DOCKER.md
-[defectdojo-install]: https://docs.defectdojo.com/en/about_defectdojo/new_user_checklist/
+[defectdojo-install]: https://docs.defectdojo.com/get_started/about/
 [defectdojo-project]: https://owasp.org/www-project-defectdojo/
 [defectdojo-tools]: https://defectdojo.com/integrations
 [edit080401]: https://github.com/OWASP/DevGuide/blob/main/docs/en/06-verification/04-vulnerability-management/01-defectdojo.md