Bump esapi from 2.2.2.0 to 2.2.3.1

[dependabot]

Bumps esapi from 2.2.2.0 to 2.2.3.1.

Release notes

Sourced from esapi's releases.

2.2.3.1

Release notes for ESAPI release 2.x.y.z are located at:         https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.2.3.1-release-notes.txt This was a very minor point release.

Note the file "esapi-2.2.3.1-configuration.jar" contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.2.3.1-configuration.jar.asc" is a GPG signature of that jar file made by Kevin W. Wall.

See also Security Bulletin 5 (https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin5.pdf) for a description of why CVE-2021-29425 is NOT exploitable via ESAPI.

ESAPI 2.2.3.0

This is a patch release with the primary intent of updating some dependencies, some with known vulnerabilities. Main update are: -- AntiSamy, from 1.5.11 to 1.6.2. -- As a result of the AntiSamy upgrade, the transitive dependency xercesImpl was updated from 2.12.0 to 2.12.1 which should address CVE-2020-14338. -- Apache batik-css, updated from 1.13 to 1.14.

See the ESAPI 2.2.3.0 release notes for details.

Note the configuration jar and its detached signature are also attached. Also note that the 2 security advisories are (sort of) relevant if you are either using ESAPI's deprecated log4j 1.x logging or are concerned about your SCA tools popping up warnings about ESAPI:

• Security Advisory 3
• Security Advisory 4

Commits

• 2e8694c Bump release to new patch version #.
• 2c5646f Changed snapshot release version #.
• 4fda358 New file for 2.2.3.1
• 23ca08c Release notes for ESAPI 2.2.3.1 patch release.
• c2ebafb Changed 'mvn dependency:tree' to 'mvn -B dependency:tree'.
• 28721a0 Excluded older version of commons-io but forgot to then include later version.
• dfff610 Change pom grab newer version of Apache Commons IO.
• cf464bf fix: upgrade org.owasp.antisamy:antisamy from 1.6.2 to 1.6.3 (#622)
• ab07e07 Should have the rename of master to main, and a foo.txt file with "delete me"...
• 705c326 Merge pull request #619 from kwwall/documentation-changes
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)