Release 1.6.1

Security fixes:

- Bumped Jackson dependency to version 2.9.10.3 in response to
  CVE-2019-20330 and CVE-2020-8840

.github/workflows/build.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [8, 11]
+        java: [8, 11, 13]
 
     steps:
     - name: Check out code

.github/workflows/coverage.yml

@@ -0,0 +1,29 @@
+# This name is shown in the status badge in the README
+name: Test coverage
+
+on:
+  push:
+    branches: [master]
+
+jobs:
+  test:
+    name: JDK ${{matrix.java}}
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: Set up JDK 11
+      uses: actions/setup-java@v1
+      with:
+        java-version: 11
+
+    - name: Run mutation test
+      run: ./gradlew pitest
+
+    - name: Report to Coveralls
+      env:
+        COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
+      run: ./gradlew coveralls

.github/workflows/release-verify-signatures.yml

@@ -26,7 +26,7 @@ jobs:
       run: ./gradlew jar
 
     - name: Fetch keys
-      run: gpg --no-default-keyring --keyring yubico --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
+      run: gpg --no-default-keyring --keyring yubico --keyserver hkps://keys.openpgp.org --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
 
     - name: Verify signatures from GitHub release
       run: |

.github/workflows/scan.yml

@@ -0,0 +1,36 @@
+name: static code analysis
+# Documentation: https://github.com/Yubico/yes-static-code-analysis
+
+on:
+  push:
+  schedule:
+    - cron: '0 0 * * 1'
+
+env:
+  SCAN_IMG:
+    yes-docker-local.artifactory.in.yubico.org/static-code-analysis/java:v1
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@master
+
+    - name: Prep scan
+      run: |
+        docker login yes-docker-local.artifactory.in.yubico.org/ \
+             -u svc-static-code-analysis-reader \
+             -p ${{ secrets.ARTIFACTORY_READER_TOKEN }}
+        docker pull ${SCAN_IMG}
+
+    - name: Scan and fail on warnings
+      run: |
+        docker run -v${PWD}:/k \
+          -e PROJECT_NAME=${GITHUB_REPOSITORY#Yubico/} -t ${SCAN_IMG}
+
+    - uses: actions/upload-artifact@master
+      if: failure()
+      with:
+        name: suppression_files
+        path: suppression_files

.gitignore

@@ -3,12 +3,12 @@
 .project
 .settings/
 
-# Intellij
+# IntelliJ
 .idea/
+bin/
 out/
 *.iml
 *.iws
-*/out/
 .attach_pid*
 
 # Mac

NEWS

@@ -1,3 +1,11 @@
+== Version 1.6.1 ==
+
+Security fixes:
+
+- Bumped Jackson dependency to version 2.9.10.3 in response to CVE-2019-20330
+  and CVE-2020-8840
+
+
 == Version 1.6.0 ==
 
 Security fixes:

README

@@ -4,7 +4,6 @@ java-webauthn-server
 :toc-placement: macro
 :toc-title:
 
-image:https://travis-ci.org/Yubico/java-webauthn-server.svg?branch=master["Build Status", link="https://travis-ci.org/Yubico/java-webauthn-server"]
 image:https://github.com/Yubico/java-webauthn-server/workflows/build/badge.svg["Build Status", link="https://github.com/Yubico/java-webauthn-server/actions"]
 image:https://coveralls.io/repos/github/Yubico/java-webauthn-server/badge.svg["Coverage Status", link="https://coveralls.io/github/Yubico/java-webauthn-server"]
 
@@ -26,15 +25,15 @@ Maven:
 <dependency>
   <groupId>com.yubico</groupId>
   <artifactId>webauthn-server-core</artifactId>
-  <version>1.5.0</version>
+  <version>1.6.1</version>
   <scope>compile</scope>
 </dependency>
 ----------
 
 Gradle:
 
 ----------
-compile 'com.yubico:webauthn-server-core:1.5.0'
+compile 'com.yubico:webauthn-server-core:1.6.1'
 ----------
 
 

build.gradle

@@ -30,7 +30,7 @@ if (publishEnabled) {
 }
 
 wrapper {
-  gradleVersion = '5.4'
+  gradleVersion = '6.1'
 }
 
 allprojects {
@@ -51,7 +51,7 @@ allprojects {
 Map<String, String> dependencyVersions = [
   'ch.qos.logback:logback-classic:1.2.3',
   'com.augustcellars.cose:cose-java:1.0.0',
-  'com.fasterxml.jackson.core:jackson-databind:2.9.10.1',
+  'com.fasterxml.jackson.core:jackson-databind:2.9.10.3',
   'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.9.10',
   'com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.9.10',
   'com.google.guava:guava:19.0',
@@ -69,9 +69,9 @@ Map<String, String> dependencyVersions = [
   'org.glassfish.jersey.containers:jersey-container-servlet:2.26',
   'org.glassfish.jersey.inject:jersey-hk2:2.26',
   'org.mockito:mockito-core:2.27.0',
-  'org.scala-lang:scala-library:2.12.8',
-  'org.scalacheck:scalacheck_2.12:1.14.0',
-  'org.scalatest:scalatest_2.12:3.0.4',
+  'org.scala-lang:scala-library:2.13.1',
+  'org.scalacheck:scalacheck_2.13:1.14.0',
+  'org.scalatest:scalatest_2.13:3.0.8',
   'org.slf4j:slf4j-api:1.7.25',
 ].collectEntries { [(it.split(':')[0..1].join(':')): it] }
 rootProject.ext.addVersion = { dep -> dependencyVersions[dep] }
@@ -87,7 +87,7 @@ subprojects {
   repositories {
     mavenLocal()
 
-    maven { url "http://repo.maven.apache.org/maven2" }
+    maven { url "https://repo.maven.apache.org/maven2" }
   }
 }
 
@@ -138,9 +138,9 @@ subprojects { project ->
   }
 
   if (project.hasProperty('publishMe') && project.publishMe) {
-    task sourcesJar(type: Jar) {
-      archiveClassifier = 'sources'
-      from sourceSets.main.allSource
+    java {
+      withJavadocJar()
+      withSourcesJar()
     }
 
     task delombok(type: DelombokTask, dependsOn: classes) {
@@ -165,11 +165,6 @@ subprojects { project ->
       options.addStringOption('charset', 'UTF-8')
     }
 
-    task javadocJar(type: Jar) {
-      archiveClassifier = 'javadoc'
-      from javadoc
-    }
-
     rootProject.tasks.assembleJavadoc {
       dependsOn javadoc
       inputs.dir javadoc.destinationDir
@@ -187,9 +182,7 @@ subprojects { project ->
     publishing {
       publications {
         jars(MavenPublication) {
-          from components.java
-          artifact javadocJar
-          artifact sourcesJar
+          setArtifacts([jar, javadocJar, sourcesJar])
 
           pom {
             name = project.name
@@ -244,10 +237,6 @@ task pitestMerge(type: com.yubico.gradle.pitest.tasks.PitestMergeTask)
 
 coveralls {
   sourceDirs = subprojects.sourceSets.main.allSource.srcDirs.flatten()
-
-  // Workaround to TLS issues in JDK 11, see https://github.com/kt3k/coveralls-gradle-plugin/issues/85
-  saveAsFile = true
-  sendToCoveralls = false
 }
 tasks.coveralls {
   inputs.files pitestMerge.outputs.files

buildSrc/build.gradle

@@ -7,6 +7,6 @@ repositories {
 dependencies {
   implementation(
     'commons-io:commons-io:2.5',
-    'info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.4.0',
+    'info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.4.6',
   )
 }

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-5.4-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.1-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

gradlew

@@ -7,7 +7,7 @@
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#      http://www.apache.org/licenses/LICENSE-2.0
+#      https://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
@@ -125,8 +125,8 @@ if $darwin; then
     GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
 fi
 
-# For Cygwin, switch paths to Windows format before running java
-if $cygwin ; then
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
     APP_HOME=`cygpath --path --mixed "$APP_HOME"`
     CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
     JAVACMD=`cygpath --unix "$JAVACMD"`
@@ -154,19 +154,19 @@ if $cygwin ; then
         else
             eval `echo args$i`="\"$arg\""
         fi
-        i=$((i+1))
+        i=`expr $i + 1`
     done
     case $i in
-        (0) set -- ;;
-        (1) set -- "$args0" ;;
-        (2) set -- "$args0" "$args1" ;;
-        (3) set -- "$args0" "$args1" "$args2" ;;
-        (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
-        (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
-        (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
-        (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
-        (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
-        (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
+        0) set -- ;;
+        1) set -- "$args0" ;;
+        2) set -- "$args0" "$args1" ;;
+        3) set -- "$args0" "$args1" "$args2" ;;
+        4) set -- "$args0" "$args1" "$args2" "$args3" ;;
+        5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
+        6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
+        7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
+        8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
+        9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
     esac
 fi
 
@@ -175,14 +175,9 @@ save () {
     for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
     echo " "
 }
-APP_ARGS=$(save "$@")
+APP_ARGS=`save "$@"`
 
 # Collect all arguments for the java command, following the shell quoting and substitution rules
 eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
 
-# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
-if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
-  cd "$(dirname "$0")"
-fi
-
 exec "$JAVACMD" "$@"

gradlew.bat

@@ -5,7 +5,7 @@
 @rem you may not use this file except in compliance with the License.
 @rem You may obtain a copy of the License at
 @rem
-@rem      http://www.apache.org/licenses/LICENSE-2.0
+@rem      https://www.apache.org/licenses/LICENSE-2.0
 @rem
 @rem Unless required by applicable law or agreed to in writing, software
 @rem distributed under the License is distributed on an "AS IS" BASIS,

settings.gradle

@@ -3,7 +3,6 @@ include ':webauthn-server-attestation'
 include ':webauthn-server-core'
 include ':webauthn-server-demo'
 include ':yubico-util'
-include ':yubico-util-scala'
 
 include ':test-dependent-projects:java-dep-webauthn-server-attestation'
 include ':test-dependent-projects:java-dep-webauthn-server-core'

webauthn-server-attestation/build.gradle

@@ -17,24 +17,24 @@ dependencies {
 
   implementation(
     project(':yubico-util'),
-    addVersion('com.google.guava:guava'),
     addVersion('com.fasterxml.jackson.core:jackson-databind'),
+    addVersion('com.google.guava:guava'),
     addVersion('org.bouncycastle:bcprov-jdk15on'),
     addVersion('org.slf4j:slf4j-api'),
   )
 
   testImplementation(
-    project(':webauthn-server-core').sourceSets.test.output,
-    project(':yubico-util-scala'),
+    testFixtures(project(':yubico-util')),
+    testFixtures(project(':webauthn-server-core')),
     addVersion('junit:junit'),
     addVersion('org.mockito:mockito-core'),
     addVersion('org.scala-lang:scala-library'),
-    addVersion('org.scalacheck:scalacheck_2.12'),
-    addVersion('org.scalatest:scalatest_2.12'),
+    addVersion('org.scalacheck:scalacheck_2.13'),
+    addVersion('org.scalatest:scalatest_2.13'),
   )
+
   testRuntimeOnly(
-    // Transitive dependency from :webauthn-server-core:test
-    addVersion('org.bouncycastle:bcpkix-jdk15on'),
+    addVersion('ch.qos.logback:logback-classic'),
   )
 }
 

webauthn-server-attestation/src/test/resources/logback.xml

@@ -0,0 +1,15 @@
+<configuration>
+
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder>
+            <pattern>%d{HH:mm:ss.SSSZ} [%thread] %-5level %logger{36} - %msg%n%rEx</pattern>
+        </encoder>
+    </appender>
+
+    <root level="INFO">
+        <appender-ref ref="STDOUT"/>
+    </root>
+
+    <logger name="com.yubico" level="TRACE"/>
+
+</configuration>