Release 1.6.1

Security fixes:

- Bumped Jackson dependency to version 2.9.10.3 in response to
  CVE-2019-20330 and CVE-2020-8840

Author: emlun

.github/workflows/build.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [8, 11]
+        java: [8, 11, 13]
 
     steps:
     - name: Check out code

.github/workflows/coverage.yml

@@ -0,0 +1,29 @@
+# This name is shown in the status badge in the README
+name: Test coverage
+
+on:
+  push:
+    branches: [master]
+
+jobs:
+  test:
+    name: JDK ${{matrix.java}}
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: Set up JDK 11
+      uses: actions/setup-java@v1
+      with:
+        java-version: 11
+
+    - name: Run mutation test
+      run: ./gradlew pitest
+
+    - name: Report to Coveralls
+      env:
+        COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_REPO_TOKEN }}
+      run: ./gradlew coveralls

.github/workflows/release-verify-signatures.yml

@@ -26,7 +26,7 @@ jobs:
       run: ./gradlew jar
 
     - name: Fetch keys
-      run: gpg --no-default-keyring --keyring yubico --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
+      run: gpg --no-default-keyring --keyring yubico --keyserver hkps://keys.openpgp.org --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
 
     - name: Verify signatures from GitHub release
       run: |

.github/workflows/scan.yml

@@ -0,0 +1,36 @@
+name: static code analysis
+# Documentation: https://github.com/Yubico/yes-static-code-analysis
+
+on:
+  push:
+  schedule:
+    - cron: '0 0 * * 1'
+
+env:
+  SCAN_IMG:
+    yes-docker-local.artifactory.in.yubico.org/static-code-analysis/java:v1
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@master
+
+    - name: Prep scan
+      run: |
+        docker login yes-docker-local.artifactory.in.yubico.org/ \
+             -u svc-static-code-analysis-reader \
+             -p ${{ secrets.ARTIFACTORY_READER_TOKEN }}
+        docker pull ${SCAN_IMG}
+
+    - name: Scan and fail on warnings
+      run: |
+        docker run -v${PWD}:/k \
+          -e PROJECT_NAME=${GITHUB_REPOSITORY#Yubico/} -t ${SCAN_IMG}
+
+    - uses: actions/upload-artifact@master
+      if: failure()
+      with:
+        name: suppression_files
+        path: suppression_files

.gitignore

@@ -3,12 +3,12 @@
 .project
 .settings/
 
-# Intellij
+# IntelliJ
 .idea/
+bin/
 out/
 *.iml
 *.iws
-*/out/
 .attach_pid*
 
 # Mac

.travis.yml

@@ -1,3 +1,11 @@
+== Version 1.6.1 ==
+
+Security fixes:
+
+- Bumped Jackson dependency to version 2.9.10.3 in response to CVE-2019-20330
+  and CVE-2020-8840
+
+
 == Version 1.6.0 ==
 
 Security fixes:

NEWS

@@ -4,7 +4,6 @@ java-webauthn-server
 :toc-placement: macro
 :toc-title:
 
-image:https://travis-ci.org/Yubico/java-webauthn-server.svg?branch=master["Build Status", link="https://travis-ci.org/Yubico/java-webauthn-server"]
 image:https://github.com/Yubico/java-webauthn-server/workflows/build/badge.svg["Build Status", link="https://github.com/Yubico/java-webauthn-server/actions"]
 image:https://coveralls.io/repos/github/Yubico/java-webauthn-server/badge.svg["Coverage Status", link="https://coveralls.io/github/Yubico/java-webauthn-server"]
 
@@ -26,15 +25,15 @@ Maven:
 <dependency>
   <groupId>com.yubico</groupId>
   <artifactId>webauthn-server-core</artifactId>
-  <version>1.5.0</version>
+  <version>1.6.1</version>
   <scope>compile</scope>
 </dependency>
 ----------
 
 Gradle:
 
 ----------
-compile 'com.yubico:webauthn-server-core:1.5.0'
+compile 'com.yubico:webauthn-server-core:1.6.1'
 ----------
 
 

README

@@ -30,7 +30,7 @@ if (publishEnabled) {
 }
 
 wrapper {
-  gradleVersion = '5.4'
+  gradleVersion = '6.1'
 }
 
 allprojects {
@@ -51,7 +51,7 @@ allprojects {
 Map<String, String> dependencyVersions = [
   'ch.qos.logback:logback-classic:1.2.3',
   'com.augustcellars.cose:cose-java:1.0.0',
-  'com.fasterxml.jackson.core:jackson-databind:2.9.10.1',
+  'com.fasterxml.jackson.core:jackson-databind:2.9.10.3',
   'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.9.10',
   'com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.9.10',
   'com.google.guava:guava:19.0',
@@ -69,9 +69,9 @@ Map<String, String> dependencyVersions = [
   'org.glassfish.jersey.containers:jersey-container-servlet:2.26',
   'org.glassfish.jersey.inject:jersey-hk2:2.26',
   'org.mockito:mockito-core:2.27.0',
-  'org.scala-lang:scala-library:2.12.8',
-  'org.scalacheck:scalacheck_2.12:1.14.0',
-  'org.scalatest:scalatest_2.12:3.0.4',
+  'org.scala-lang:scala-library:2.13.1',
+  'org.scalacheck:scalacheck_2.13:1.14.0',
+  'org.scalatest:scalatest_2.13:3.0.8',
   'org.slf4j:slf4j-api:1.7.25',
 ].collectEntries { [(it.split(':')[0..1].join(':')): it] }
 rootProject.ext.addVersion = { dep -> dependencyVersions[dep] }
@@ -87,7 +87,7 @@ subprojects {
   repositories {
     mavenLocal()
 
-    maven { url "http://repo.maven.apache.org/maven2" }
+    maven { url "https://repo.maven.apache.org/maven2" }
   }
 }
 
@@ -138,9 +138,9 @@ subprojects { project ->
   }
 
   if (project.hasProperty('publishMe') && project.publishMe) {
-    task sourcesJar(type: Jar) {
-      archiveClassifier = 'sources'
-      from sourceSets.main.allSource
+    java {
+      withJavadocJar()
+      withSourcesJar()
     }
 
     task delombok(type: DelombokTask, dependsOn: classes) {
@@ -165,11 +165,6 @@ subprojects { project ->
       options.addStringOption('charset', 'UTF-8')
     }
 
-    task javadocJar(type: Jar) {
-      archiveClassifier = 'javadoc'
-      from javadoc
-    }
-
     rootProject.tasks.assembleJavadoc {
       dependsOn javadoc
       inputs.dir javadoc.destinationDir
@@ -187,9 +182,7 @@ subprojects { project ->
     publishing {
       publications {
         jars(MavenPublication) {
-          from components.java
-          artifact javadocJar
-          artifact sourcesJar
+          setArtifacts([jar, javadocJar, sourcesJar])
 
           pom {
             name = project.name
@@ -244,10 +237,6 @@ task pitestMerge(type: com.yubico.gradle.pitest.tasks.PitestMergeTask)
 
 coveralls {
   sourceDirs = subprojects.sourceSets.main.allSource.srcDirs.flatten()
-
-  // Workaround to TLS issues in JDK 11, see https://github.com/kt3k/coveralls-gradle-plugin/issues/85
-  saveAsFile = true
-  sendToCoveralls = false
 }
 tasks.coveralls {
   inputs.files pitestMerge.outputs.files

build.gradle

@@ -7,6 +7,6 @@ repositories {
 dependencies {
   implementation(
     'commons-io:commons-io:2.5',
-    'info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.4.0',
+    'info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.4.6',
   )
 }