That's a good one, thank you! I switched it to develop branch and will merge this if CI passes. For you to use it immediately you'd have to use the snapshot-tagged Docker image until the next official release.

Did you try running npm run protractor to see if all end-to-end tests still work? On Travis-CI one of them keeps failing no matter how often I re-ran them: The DOM XSS challenge.

The DOM XSS challenge is unlocked via socket and the API doesn't accept only the dot as servername, so the connection failed. Trying to fix it but I can't test properly locally, as tests keep timing out for me.

Alright, so the issue was caused by socket.io listening on a default URL path of "socket.io", which needs to be added to the subdirectory. I also had to restart Travis once by closing and re-oping the PR, as a test failed in a different part of the application.

Woohoo, awesome!

Great, thanks a lot! Would it be possible to add "Panasonic Information Systems Company Europe" to the package.json contributor list? Would be highly appreciated for the managers!

I can only add GitHub user names as contributors, not corporations. But if you'd like some swag, I can send stickers and postcards your way. Just mail me your post address.

As the company paid for the development and testing, it would be great to honor them instead of me. Why is it only possible to add Github usernames? At the moment there are normal names available as well and according to the documentation that's conform to standards.

Last time I checked corporate acknowledgements are only allowed by OWASP policy on a project Wiki page in the "Acknowledgements" tab. And only for monetary donations, not for contribution of time or effort in any form.

Also, as you are using a pseudonym account, how would I be able to verify the company you are working for? Using a GitHub account that has ties to e.g. a Panasonic Github organization would have been the easiest way to achieve what you'd like.

For eg DefectDojo corporate acknowledgements are also possible for contributions (which we used), but this project doesn't have this officially advertised indeed. To verify an identity, I can provide a work email account, so that shouldn't be an issue. Panasonic doesn't have an official Github account and we focus on sponsorship to contribute to open-source projects, as we otherwise can't get it officially signed off. As my commits for work always reference the company it should be clear that those commits are part of work and sponsored by the company.

So there is no way for you to willingly add acknowledgements for the company? Then I would probably just edit the PR to reflect it more.

I'll look into how DefectDojo is doing it and will bring this up with OWASP staff or in the OWASP Leadership meeting tomorrow during GlobalAppSec AMS. I could imagine having a section on the Wiki for corp-powered code contributions... Will let you know then!

Okay, found it: https://github.com/DefectDojo/django-DefectDojo/blob/master/SPONSORING.md

I will definitely not do anything like counting lines of code for points, as LOC is not about the quality of a contribution... 😁 But the way I see it, any company sponsoring their developer's time would be eligible for being mentioned on the Acknowledgements page as if they donated an amount <1000$ - just with name and link but no logo.

So, to conclude this: If you name-drop Panasonic somewhere in the PR, then I'll add them to the Ack-page on the Wiki. Also please let me know the exact name and link you'd like in there.

Added them as "Panasonic Information Systems Company Europe" linking to https://is-c.panasonic.co.jp/en - just let me know if you'd prefer a different link! 👍

Wow, that's great, thanks a lot! If you could this link, that'd be great (as it's for our specific branch in Europe): https://application.job.panasonic.eu/data/ruP0pHQvHrGZJKvL/rc.php?nav=jobsearch&custval12=ite&lang=EN&custval11=PBSEU_GER

Done! Thanks again for your contribution! 💯

Hi again, after talking about the whole code-contribution topic with a few other OWASP people I concluded that OWASP would actually need to see some kind official "donation confirmation" from Panasonic to make this an official thing and keep them on the donors list. At the moment I basically took your word for the fact that you did this PR for Panasonic. Also I cannot be sure that your contribution on Panasonic time is not seen by the company as their intellectial property. If that's the case then that would normally be your problem to resolve with them, but by acknowledging them as corporate donors I'm kind of making this my problem. I am no lawyer and honestly don't want to spend my personal time on this kind of stuff. The following would solve this in a quick way:

• Panasonic donates 1$+ earmarked for the Juice Shop project and they're sponsors like anybody else (preferred)
• Panasonic gets in touch with OWASP Foundation asking for a way to formally confirm a code contribution that includes a) the equivalent monetary value and b) waives all future IP rights on the code (more complicated but might pave the way for future similar code donations to be handled in a proper way)

I'll take down the mention until this is resolved either way. Sorry for the inconvenience, but again: I assume we're both not lawyers, so it's safer for both of us that way... ;-)