)]}'
{
  "commit": "9164fac0f83865f5787b286eaebaaf001f5e9e57",
  "tree": "3565e2a87a5292c22d56a5ac3e46f380ae6282b7",
  "parents": [
    "2f9f8a599253a21c0b53548131e5f4ff13bdae08"
  ],
  "author": {
    "name": "Robert Lazarski",
    "email": "robertlazarski@gmail.com",
    "time": "Mon Apr 13 07:07:54 2026 -1000"
  },
  "committer": {
    "name": "Robert Lazarski",
    "email": "robertlazarski@gmail.com",
    "time": "Mon Apr 13 08:19:45 2026 -1000"
  },
  "message": "RAMPART-454 Document security / maintenance assumptions flagged by review\n\nAdd in-place comments at the three locations the Gemini review flagged\nas HIGH/MEDIUM risk so the assumptions are enforced the next time\nsomeone touches these files, without changing behaviour:\n\n- modules/distribution/bin.xml: prepend a MAINTENANCE NOTE describing\n  why the \u003cexcludes\u003e list on the lib/ dependencySet exists (the dist\n  must not duplicate jars already shipped in the Axis2 distribution)\n  and what must be re-checked whenever ${axis2.version} or any\n  transitive dep moves -- otherwise we re-introduce the httpcore5\n  5.2.5 vs 5.4.2 style silent breakage.\n\n- pom.xml: prepend a SECURITY NOTE to the \u003cproperties\u003e block listing\n  the checklist reviewers must follow when bumping wss4j / opensaml /\n  xmlsec / bouncycastle: read every intermediate CVE release note\n  (not just the newest), make sure no weak algorithm or key size gets\n  re-introduced as a default, and re-run the policy samples.\n\n- RampartUtil.validateTransport: expand the inline comment at the\n  jakarta.servlet.request.X509Certificate lookup site to name the\n  Servlet-spec contract we\u0027re relying on and explicitly state that\n  re-validation of the chain is the transport listener\u0027s job, not\n  ours. The Javadoc on the method already documented the attribute\n  name; this makes the responsibility split visible at the call site.\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "5ce402799a6f5d76bea8dd8e4e79bc8fac3fb046",
      "old_mode": 33188,
      "old_path": "modules/distribution/bin.xml",
      "new_id": "81a998fdce90a7b0a26bf2996eb06857afc0c65b",
      "new_mode": 33188,
      "new_path": "modules/distribution/bin.xml"
    },
    {
      "type": "modify",
      "old_id": "7a3aad931484307b6a45933b5914b3b48ea47d39",
      "old_mode": 33188,
      "old_path": "modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java",
      "new_id": "2f327652230a6c4b5a99bc633ca3d83c41544729",
      "new_mode": 33188,
      "new_path": "modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java"
    },
    {
      "type": "modify",
      "old_id": "d1d8eed180d7eec8083b563c09148dfc7e10edab",
      "old_mode": 33188,
      "old_path": "pom.xml",
      "new_id": "9784c58a30e94823d5b1deb5162b3468fad9395c",
      "new_mode": 33188,
      "new_path": "pom.xml"
    }
  ]
}