Hi,

Fortify recommends to use the ESAPI version of some Java API calls

Software Security | Protect your Software at the Source | Fortify Software

(Generated from version 2015.1.0.0009 of the Fortify Secure Coding Rulepacks)

desc.structural.java.obsolete_deprecated_by_esapi

For example

Replace banned API calls with the recommended safer version provided by ESAPI. The list of banned and replacement API's:

Banned 001 System.out.println() ESAPI Replacement: Logger.*

Banned 002 Throwable.printStackTrace() ESAPI Replacement: Logger.*

Banned 003 Runtime.exec() ESAPI Replacement: Executor.safeExec()

Banned 004 Session.getId() ESAPI Replacement: Randomizer.getRandomString (better not to use at all)

Banned 005 ServletRequest.getUserPrincipal() ESAPI Replacement: Authenticator.getCurrentUser()

Banned 006 ServletRequest.isUserInRole() ESAPI Replacement: AccessController.isAuthorized*()

etc..

The replacements are from ESAPI 2.0.1 API  owasp-esapi-java -   OWASP Enterprise Security API (Java Edition) - Google Project Hosting

On the ESAPI googlecode homepage there is a link to the code on GitHub ESAPI/esapi-java-legacy · GitHub

Now the name of that project is "esapi-java-legacy". there is also a "esapi-java" project, the 3.x version of the API with a completely different structure.

After this long intro here is my question:

What do you recommend? Use the new 3.x version or the 2.x version? If 3.x do you plan to update the Fortify documentation?