From 25d00739bc2c959b46761ccb5ec548e22094a2ee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Jun 2023 17:38:12 +0200 Subject: [PATCH 01/33] Bump guava from 31.0.1-jre to 32.0.0-jre (#37) Bumps [guava](https://github.com/google/guava) from 31.0.1-jre to 32.0.0-jre. - [Release notes](https://github.com/google/guava/releases) - [Commits](https://github.com/google/guava/commits) --- updated-dependencies: - dependency-name: com.google.guava:guava dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index d187077..a987108 100644 --- a/pom.xml +++ b/pom.xml @@ -19,7 +19,7 @@ 2.8.9 - 31.0.1-jre + 32.0.0-jre 1.4.4 1.70 1.7.35 From 4e513f8f5a5d48230c1aac2f88e6414c4bdc9ca9 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Tue, 12 Dec 2023 14:23:13 +0100 Subject: [PATCH 02/33] Refactor dependency-check-maven plugin runs: * update to 9.0.4 * scheduled execution * run on release branches --- .github/workflows/build.yml | 2 +- .github/workflows/dependency-check.yml | 54 ++++++++++++++++++++++++++ pom.xml | 4 +- 3 files changed, 57 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/dependency-check.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2c4e4a0..7664bf0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -30,7 +30,7 @@ jobs: mvn -B verify jacoco:report org.sonarsource.scanner.maven:sonar-maven-plugin:sonar - -Pcoverage,dependency-check + -Pcoverage -Dsonar.projectKey=cryptomator_cryptolib -Dsonar.organization=cryptomator -Dsonar.host.url=https://sonarcloud.io diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml new file mode 100644 index 0000000..ae2ab3f --- /dev/null +++ b/.github/workflows/dependency-check.yml @@ -0,0 +1,54 @@ +name: OWASP Maven Dependency Check +on: + schedule: + - cron: '0 7 * * 0' + push: + branches: + - 'release/**' + workflow_dispatch: + + +jobs: + check-dependencies: + name: Check dependencies + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + show-progress: false + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: 11 + cache: 'maven' + - name: Run org.owasp:dependency-check plugin + id: dependency-check + continue-on-error: true + run: mvn -B verify -Pdependency-check -DskipTests + env: + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + - name: Upload report on failure + if: steps.dependency-check.outcome == 'failure' + uses: actions/upload-artifact@v3 + with: + name: dependency-check-report + path: target/dependency-check-report.html + if-no-files-found: error + - name: Slack Notification on regular check + if: github.event_name == 'schedule' && steps.dependency-check.outcome == 'failure' + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_USERNAME: 'Cryptobot' + SLACK_ICON: false + SLACK_ICON_EMOJI: ':bot:' + SLACK_CHANNEL: 'cryptomator-desktop' + SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected." + SLACK_MESSAGE: "Download the for more details." + SLACK_FOOTER: false + MSG_MINIMAL: true + - name: Failing workflow on release branch + if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure' + shell: bash + run: exit 1 \ No newline at end of file diff --git a/pom.xml b/pom.xml index a987108..bcb0912 100644 --- a/pom.xml +++ b/pom.xml @@ -31,7 +31,7 @@ 1.34 - 6.5.3 + 9.0.4 0.8.7 1.6.8 @@ -317,11 +317,11 @@ dependency-check-maven ${dependency-check.version} - 24 0 true true suppression.xml + ${env.NVD_API_KEY} From bf67059bd242bbcc1be9bace3db69b6250662e1b Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Tue, 12 Dec 2023 14:29:28 +0100 Subject: [PATCH 03/33] add dependabot file --- .github/dependabot.yml | 45 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..2257e2d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,45 @@ +version: 2 +updates: + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "monthly" + groups: + java-test-dependencies: + patterns: + - "org.junit.jupiter:*" + - "org.mockito:*" + - "org.hamcrest:*" + - "org.openjdk.jmh:*" + maven-build-plugins: + patterns: + - "org.apache.maven.plugins:*" + - "org.codehaus.mojo:exec-maven-plugin" + - "org.jacoco:jacoco-maven-plugin" + - "org.owasp:dependency-check-maven" + - "org.sonatype.plugins:nexus-staging-maven-plugin" + java-production-dependencies: + patterns: + - "*" + exclude-patterns: + - "org.junit.jupiter:*" + - "org.mockito:*" + - "org.hamcrest:*" + - "org.openjdk.jmh:*" + - "org.apache.maven.plugins:*" + - "org.codehaus.mojo:exec-maven-plugin" + - "org.jacoco:jacoco-maven-plugin" + - "org.owasp:dependency-check-maven" + - "org.sonatype.plugins:nexus-staging-maven-plugin" + + + - package-ecosystem: "github-actions" + directory: "/" # even for `.github/workflows` + schedule: + interval: "monthly" + groups: + github-actions: + patterns: + - "*" + labels: + - "ci" \ No newline at end of file From 08e192b34c8d665a7a30abe9229f332eaa48103d Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Wed, 13 Dec 2023 16:36:15 +0100 Subject: [PATCH 04/33] use separate cache for dependency-cache data --- .github/workflows/dependency-check.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index ae2ab3f..f22b30c 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -22,6 +22,15 @@ jobs: distribution: 'temurin' java-version: 11 cache: 'maven' + - name: Cache NVD DB + uses: actions/cache@v3 + with: + path: ~/.m2/repository/org/owasp/dependency-check-data/ + key: dependency-check-${{ github.run_id }} + restore-keys: | + dependency-check + env: + SEGMENT_DOWNLOAD_TIMEOUT_MINS: 5 - name: Run org.owasp:dependency-check plugin id: dependency-check continue-on-error: true From 978b5b5f03d4a57b821a8d4452e2389f369342a1 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Wed, 13 Dec 2023 16:36:48 +0100 Subject: [PATCH 05/33] adjust dependency check plugin --- .github/workflows/dependency-check.yml | 2 +- pom.xml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index f22b30c..10172f3 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -34,7 +34,7 @@ jobs: - name: Run org.owasp:dependency-check plugin id: dependency-check continue-on-error: true - run: mvn -B verify -Pdependency-check -DskipTests + run: mvn -B validate -Pdependency-check env: NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - name: Upload report on failure diff --git a/pom.xml b/pom.xml index bcb0912..8c60017 100644 --- a/pom.xml +++ b/pom.xml @@ -317,6 +317,7 @@ dependency-check-maven ${dependency-check.version} + 24 0 true true @@ -327,6 +328,7 @@ check + validate From 37ae66e15163ab0c5522546db3b43326b31bc707 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Wed, 13 Dec 2023 23:17:08 +0100 Subject: [PATCH 06/33] fix invalid pom --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 8c60017..307036b 100644 --- a/pom.xml +++ b/pom.xml @@ -328,8 +328,8 @@ check - validate + validate From 161d34c5adc6d9e28892fdcd4be7ffe481c43db7 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Mon, 18 Dec 2023 10:51:45 +0100 Subject: [PATCH 07/33] Update dependency-check.yml to not run into 403 due to rate limit --- .github/workflows/dependency-check.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 10172f3..463d517 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -1,7 +1,7 @@ name: OWASP Maven Dependency Check on: schedule: - - cron: '0 7 * * 0' + - cron: '0 12 * * 0' push: branches: - 'release/**' @@ -60,4 +60,4 @@ jobs: - name: Failing workflow on release branch if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure' shell: bash - run: exit 1 \ No newline at end of file + run: exit 1 From d44c58e62c213bbf6cd5e1035636b91c0c17067c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 07:54:19 +0000 Subject: [PATCH 08/33] Bump the maven-build-plugins group with 12 updates (#43) --- pom.xml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/pom.xml b/pom.xml index 307036b..e7323fb 100644 --- a/pom.xml +++ b/pom.xml @@ -31,9 +31,9 @@ 1.34 - 9.0.4 - 0.8.7 - 1.6.8 + 9.0.7 + 0.8.11 + 1.6.13 @@ -131,7 +131,7 @@ org.apache.maven.plugins maven-enforcer-plugin - 3.0.0 + 3.4.1 enforce-java @@ -151,7 +151,7 @@ maven-compiler-plugin - 3.9.0 + 3.12.1 UTF-8 true @@ -175,7 +175,7 @@ maven-shade-plugin - 3.4.0 + 3.5.1 package @@ -213,7 +213,7 @@ org.codehaus.mojo exec-maven-plugin - 3.1.0 + 3.1.1 package @@ -236,12 +236,12 @@ org.apache.maven.plugins maven-surefire-plugin - 3.0.0-M5 + 3.2.3 org.apache.maven.plugins maven-jar-plugin - 3.2.2 + 3.3.0 @@ -253,7 +253,7 @@ maven-source-plugin - 3.2.1 + 3.3.0 attach-sources @@ -265,7 +265,7 @@ maven-javadoc-plugin - 3.3.1 + 3.6.3 attach-javadocs @@ -370,7 +370,7 @@ maven-gpg-plugin - 3.0.1 + 3.1.0 sign-artifacts From 91b46d4b2b97b4bf3666f9282016d3ae68d4c184 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 07:55:21 +0000 Subject: [PATCH 09/33] Bump the github-actions group with 4 updates (#44) --- .github/workflows/build.yml | 6 +++--- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/dependency-check.yml | 2 +- .github/workflows/publish-central.yml | 4 ++-- .github/workflows/publish-github.yml | 4 ++-- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7664bf0..2847e5a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,10 +7,10 @@ jobs: runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: java-version: 11 distribution: 'temurin' @@ -37,7 +37,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 with: name: artifacts path: target/*.jar diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 223b46a..b2cb3f3 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -15,19 +15,19 @@ jobs: runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')" steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 2 - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: java-version: 11 distribution: 'temurin' cache: 'maven' - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: java - name: Build and Test run: mvn -B install -DskipTests - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 \ No newline at end of file + uses: github/codeql-action/analyze@v3 \ No newline at end of file diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 463d517..dabb441 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -39,7 +39,7 @@ jobs: NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - name: Upload report on failure if: steps.dependency-check.outcome == 'failure' - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: dependency-check-report path: target/dependency-check-report.html diff --git a/.github/workflows/publish-central.yml b/.github/workflows/publish-central.yml index 526cc8d..54681aa 100644 --- a/.github/workflows/publish-central.yml +++ b/.github/workflows/publish-central.yml @@ -10,10 +10,10 @@ jobs: publish: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: ref: "refs/tags/${{ github.event.inputs.tag }}" - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: java-version: 11 distribution: 'temurin' diff --git a/.github/workflows/publish-github.yml b/.github/workflows/publish-github.yml index d195008..d72d74c 100644 --- a/.github/workflows/publish-github.yml +++ b/.github/workflows/publish-github.yml @@ -7,8 +7,8 @@ jobs: runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/tags/') # only allow publishing tagged versions steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 + - uses: actions/checkout@v4 + - uses: actions/setup-java@v4 with: java-version: 11 distribution: 'temurin' From 74312ab0e6c8215dbc14c32795923430e7543589 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jan 2024 07:55:48 +0000 Subject: [PATCH 10/33] Bump the java-test-dependencies group with 4 updates (#38) --- pom.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index e7323fb..77cc84c 100644 --- a/pom.xml +++ b/pom.xml @@ -25,10 +25,10 @@ 1.7.35 - 5.8.2 - 4.3.1 + 5.10.1 + 5.8.0 2.2 - 1.34 + 1.37 9.0.7 From cdc37726126c80c603a3c1005a9ceb787d830873 Mon Sep 17 00:00:00 2001 From: JaniruTEC <52893617+JaniruTEC@users.noreply.github.com> Date: Mon, 8 Jan 2024 21:23:58 +0100 Subject: [PATCH 11/33] Externalized dependency-check --- .github/workflows/dependency-check.yml | 58 ++++---------------------- 1 file changed, 7 insertions(+), 51 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index dabb441..692cba4 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -10,54 +10,10 @@ on: jobs: check-dependencies: - name: Check dependencies - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - show-progress: false - - name: Setup Java - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: 11 - cache: 'maven' - - name: Cache NVD DB - uses: actions/cache@v3 - with: - path: ~/.m2/repository/org/owasp/dependency-check-data/ - key: dependency-check-${{ github.run_id }} - restore-keys: | - dependency-check - env: - SEGMENT_DOWNLOAD_TIMEOUT_MINS: 5 - - name: Run org.owasp:dependency-check plugin - id: dependency-check - continue-on-error: true - run: mvn -B validate -Pdependency-check - env: - NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - - name: Upload report on failure - if: steps.dependency-check.outcome == 'failure' - uses: actions/upload-artifact@v4 - with: - name: dependency-check-report - path: target/dependency-check-report.html - if-no-files-found: error - - name: Slack Notification on regular check - if: github.event_name == 'schedule' && steps.dependency-check.outcome == 'failure' - uses: rtCamp/action-slack-notify@v2 - env: - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} - SLACK_USERNAME: 'Cryptobot' - SLACK_ICON: false - SLACK_ICON_EMOJI: ':bot:' - SLACK_CHANNEL: 'cryptomator-desktop' - SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected." - SLACK_MESSAGE: "Download the for more details." - SLACK_FOOTER: false - MSG_MINIMAL: true - - name: Failing workflow on release branch - if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure' - shell: bash - run: exit 1 + uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@main + with: + java-distribution: 'temurin' + java-version: 11 + secrets: + nvd-api-key: ${{ secrets.NVD_API_KEY }} + slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} From 3339a00e0778d944a9cafff61cdea913394ba102 Mon Sep 17 00:00:00 2001 From: JaniruTEC <52893617+JaniruTEC@users.noreply.github.com> Date: Tue, 9 Jan 2024 16:59:14 +0100 Subject: [PATCH 12/33] Specified runner OS See: https://github.com/skymatic/workflows/commit/c46fda1f1922915ec589fef039f76a284786b8b8 --- .github/workflows/dependency-check.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 692cba4..bdebba8 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -12,6 +12,7 @@ jobs: check-dependencies: uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@main with: + runner-os: 'ubuntu-latest' java-distribution: 'temurin' java-version: 11 secrets: From 5b2a228732639fd765590bb553b87dab7f6621b5 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Fri, 2 Feb 2024 10:37:43 +0100 Subject: [PATCH 13/33] Update CI to JDK 21 * excluding dependency-check --- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/publish-central.yml | 2 +- .github/workflows/publish-github.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2847e5a..5c00925 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,7 +12,7 @@ jobs: fetch-depth: 0 - uses: actions/setup-java@v4 with: - java-version: 11 + java-version: 21 distribution: 'temurin' cache: 'maven' - name: Cache SonarCloud packages diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index b2cb3f3..e158fd0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,7 +20,7 @@ jobs: fetch-depth: 2 - uses: actions/setup-java@v4 with: - java-version: 11 + java-version: 21 distribution: 'temurin' cache: 'maven' - name: Initialize CodeQL diff --git a/.github/workflows/publish-central.yml b/.github/workflows/publish-central.yml index 54681aa..afabe60 100644 --- a/.github/workflows/publish-central.yml +++ b/.github/workflows/publish-central.yml @@ -15,7 +15,7 @@ jobs: ref: "refs/tags/${{ github.event.inputs.tag }}" - uses: actions/setup-java@v4 with: - java-version: 11 + java-version: 21 distribution: 'temurin' cache: 'maven' server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml diff --git a/.github/workflows/publish-github.yml b/.github/workflows/publish-github.yml index d72d74c..be60dec 100644 --- a/.github/workflows/publish-github.yml +++ b/.github/workflows/publish-github.yml @@ -10,7 +10,7 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-java@v4 with: - java-version: 11 + java-version: 21 distribution: 'temurin' cache: 'maven' gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import From 2cd69e2d22add5d0cf9adea5d353cd8442024e45 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Fri, 2 Feb 2024 10:37:59 +0100 Subject: [PATCH 14/33] CI cleanup --- .github/workflows/build.yml | 1 - .github/workflows/codeql-analysis.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5c00925..665adc5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,7 +5,6 @@ jobs: build: name: Build and Test runs-on: ubuntu-latest - if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')" steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e158fd0..4286698 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -13,7 +13,6 @@ jobs: analyse: name: Analyse runs-on: ubuntu-latest - if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')" steps: - uses: actions/checkout@v4 with: From b64e59599167600fcdb00587be2c4fa58f28b62f Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Fri, 2 Feb 2024 10:39:33 +0100 Subject: [PATCH 15/33] replace deprecated release action --- .github/workflows/build.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 665adc5..e5b0751 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,11 +41,9 @@ jobs: name: artifacts path: target/*.jar - name: Create Release - uses: actions/create-release@v1 # NOTE: action is unmaintained and repo archived + uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') - env: - GITHUB_TOKEN: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }} # release as "cryptobot" with: - tag_name: ${{ github.ref }} - release_name: Release ${{ github.ref }} - prerelease: true \ No newline at end of file + prerelease: true + token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }} + generate_release_notes: true \ No newline at end of file From efbf951ec8967948fb8be2cdc2ad6ce6f8ed10f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 11:51:07 +0000 Subject: [PATCH 16/33] Bump the java-test-dependencies group with 1 update (#49) --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 77cc84c..827b32f 100644 --- a/pom.xml +++ b/pom.xml @@ -26,7 +26,7 @@ 5.10.1 - 5.8.0 + 5.10.0 2.2 1.37 From ad2fe8043956803a2bcbcaba51b657f4691f9242 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 11:51:17 +0000 Subject: [PATCH 17/33] Bump the maven-build-plugins group with 2 updates (#50) --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 827b32f..fa48018 100644 --- a/pom.xml +++ b/pom.xml @@ -31,7 +31,7 @@ 1.37 - 9.0.7 + 9.0.9 0.8.11 1.6.13 @@ -236,7 +236,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.2.3 + 3.2.5 org.apache.maven.plugins From 1aad310e5dcc7fd39c35c60c75d826badf33fbc8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 2 Feb 2024 11:51:37 +0000 Subject: [PATCH 18/33] Bump the github-actions group with 1 update (#47) --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e5b0751..dd07549 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,7 +15,7 @@ jobs: distribution: 'temurin' cache: 'maven' - name: Cache SonarCloud packages - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar From 40554e6fbe7a8c8da52495638bd05eac8d9942f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Feb 2024 08:27:15 +0000 Subject: [PATCH 19/33] Bump the java-production-dependencies group with 5 updates (#48) --- pom.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index fa48018..bb3efac 100644 --- a/pom.xml +++ b/pom.xml @@ -18,11 +18,11 @@ 8 - 2.8.9 - 32.0.0-jre - 1.4.4 + 2.10.1 + 33.0.0-jre + 1.5.0 1.70 - 1.7.35 + 2.0.11 5.10.1 From 2d284e0165b66b9f4d248e7d1ef2905a2536423a Mon Sep 17 00:00:00 2001 From: JaniruTEC <52893617+JaniruTEC@users.noreply.github.com> Date: Fri, 9 Feb 2024 09:31:52 +0100 Subject: [PATCH 20/33] Changed version specifier for dependency-check/Change used JDK version (#46) * Changed version specifier for dependency-check See: https://github.com/cryptomator/cryptofs/pull/202#discussion_r1453615249 * Updated JDK for dependency-check to 21 See: 5b2a228 --------- Co-authored-by: Sebastian Stenzel --- .github/workflows/dependency-check.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index bdebba8..1458295 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -10,11 +10,11 @@ on: jobs: check-dependencies: - uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@main + uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@v1 with: runner-os: 'ubuntu-latest' java-distribution: 'temurin' - java-version: 11 + java-version: 21 secrets: nvd-api-key: ${{ secrets.NVD_API_KEY }} slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} From 4e47df1d161ae77827f4223ce14e8b4eaa7cc601 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 09:54:17 +0000 Subject: [PATCH 21/33] Bump the java-test-dependencies group with 2 updates (#52) --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index bb3efac..f58868c 100644 --- a/pom.xml +++ b/pom.xml @@ -25,8 +25,8 @@ 2.0.11 - 5.10.1 - 5.10.0 + 5.10.2 + 5.11.0 2.2 1.37 From b08fa21b03043db916d998b20e2670ec55ad688a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 09:55:14 +0000 Subject: [PATCH 22/33] Bump the maven-build-plugins group with 5 updates (#55) --- pom.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pom.xml b/pom.xml index f58868c..c609eeb 100644 --- a/pom.xml +++ b/pom.xml @@ -31,7 +31,7 @@ 1.37 - 9.0.9 + 9.1.0 0.8.11 1.6.13 @@ -151,7 +151,7 @@ maven-compiler-plugin - 3.12.1 + 3.13.0 UTF-8 true @@ -175,7 +175,7 @@ maven-shade-plugin - 3.5.1 + 3.5.2 package @@ -213,7 +213,7 @@ org.codehaus.mojo exec-maven-plugin - 3.1.1 + 3.2.0 package @@ -370,7 +370,7 @@ maven-gpg-plugin - 3.1.0 + 3.2.2 sign-artifacts From 0a46cf4bf41c6ce12eb85196d90d526749334488 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Apr 2024 09:55:42 +0000 Subject: [PATCH 23/33] Bump the github-actions group with 1 update (#57) --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dd07549..57b9a8c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -41,7 +41,7 @@ jobs: name: artifacts path: target/*.jar - name: Create Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@v2 if: startsWith(github.ref, 'refs/tags/') with: prerelease: true From b8b0141d95d2c3742e01ce58b4d7b7fd1bfbcfaf Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 11 Apr 2024 09:07:28 +0200 Subject: [PATCH 24/33] Update suppression.xml (#58) suppress CVE-2023-33202 and CVE-2023-33201 --- suppression.xml | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/suppression.xml b/suppression.xml index b4e9da1..6417cf9 100644 --- a/suppression.xml +++ b/suppression.xml @@ -18,4 +18,36 @@ CVE-2020-8908 CVE-2020-8908 - \ No newline at end of file + + + ^pkg:maven/org\.bouncycastle/bcutil\-jdk15on@.*$ + CVE-2023-33202 + + + + ^pkg:maven/org\.bouncycastle/bcpkix\-jdk15on@.*$ + CVE-2023-33202 + + + + ^pkg:maven/org\.bouncycastle/bcprov\-jdk15on@.*$ + CVE-2023-33202 + + + + ^pkg:maven/org\.bouncycastle/bcprov\-jdk15on@.*$ + CVE-2023-33201 + + From 26dbb320380fc5e4115ab43f556cc5fc6453c5c6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 13:24:01 +0000 Subject: [PATCH 25/33] Bump the java-production-dependencies group with 3 updates (#56) --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index c609eeb..365810f 100644 --- a/pom.xml +++ b/pom.xml @@ -19,10 +19,10 @@ 2.10.1 - 33.0.0-jre + 33.1.0-jre 1.5.0 1.70 - 2.0.11 + 2.0.12 5.10.2 From 9ae2f628bc42e46a5e2391725c852f31d649069b Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Tue, 16 Apr 2024 14:39:42 +0200 Subject: [PATCH 26/33] update IDE JDK to 21 --- .idea/misc.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.idea/misc.xml b/.idea/misc.xml index 4d8efc6..5e8e72e 100644 --- a/.idea/misc.xml +++ b/.idea/misc.xml @@ -1,5 +1,6 @@ + - + \ No newline at end of file From b538d030fa4885ba0ad9714b75bacb1f6da5c39c Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Tue, 16 Apr 2024 15:40:15 +0200 Subject: [PATCH 27/33] Feature: Update libs (#59) * updating siv-mode and bouncycastle * cleanup cve suppression list --- pom.xml | 6 +++--- suppression.xml | 42 ++++++------------------------------------ 2 files changed, 9 insertions(+), 39 deletions(-) diff --git a/pom.xml b/pom.xml index 365810f..94b8d5c 100644 --- a/pom.xml +++ b/pom.xml @@ -20,8 +20,8 @@ 2.10.1 33.1.0-jre - 1.5.0 - 1.70 + 1.5.2 + 1.78 2.0.12 @@ -63,7 +63,7 @@ org.bouncycastle - bcpkix-jdk15on + bcpkix-jdk18on ${bouncycastle.version} true diff --git a/suppression.xml b/suppression.xml index 6417cf9..a831953 100644 --- a/suppression.xml +++ b/suppression.xml @@ -3,8 +3,9 @@ + Incorrectly matched CPE + ]]> + org\.cryptomator:.* cpe:/a:cryptomator:cryptomator CVE-2022-25366 @@ -12,42 +13,11 @@ + Suppress false positive, because com.google.common.io.Files.getTempDir() is not used + ]]> + ^pkg:maven/com\.google\.guava/guava@.*$ CVE-2020-8908 CVE-2020-8908 - - - ^pkg:maven/org\.bouncycastle/bcutil\-jdk15on@.*$ - CVE-2023-33202 - - - - ^pkg:maven/org\.bouncycastle/bcpkix\-jdk15on@.*$ - CVE-2023-33202 - - - - ^pkg:maven/org\.bouncycastle/bcprov\-jdk15on@.*$ - CVE-2023-33202 - - - - ^pkg:maven/org\.bouncycastle/bcprov\-jdk15on@.*$ - CVE-2023-33201 - From 92c2c314f0c6e8462e8d96209ec4dfb133c2072a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 2 May 2024 14:17:44 +0000 Subject: [PATCH 28/33] Bump the maven-build-plugins group with 5 updates (#60) --- pom.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pom.xml b/pom.xml index 94b8d5c..68be9f0 100644 --- a/pom.xml +++ b/pom.xml @@ -32,7 +32,7 @@ 9.1.0 - 0.8.11 + 0.8.12 1.6.13 @@ -175,7 +175,7 @@ maven-shade-plugin - 3.5.2 + 3.5.3 package @@ -241,7 +241,7 @@ org.apache.maven.plugins maven-jar-plugin - 3.3.0 + 3.4.1 @@ -253,7 +253,7 @@ maven-source-plugin - 3.3.0 + 3.3.1 attach-sources @@ -370,7 +370,7 @@ maven-gpg-plugin - 3.2.2 + 3.2.4 sign-artifacts From 4db325b958a95266bd58a236797c5c408fc1a4bb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 2 May 2024 14:22:14 +0000 Subject: [PATCH 29/33] Bump the java-production-dependencies group with 3 updates (#61) --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 68be9f0..f0499ac 100644 --- a/pom.xml +++ b/pom.xml @@ -21,8 +21,8 @@ 2.10.1 33.1.0-jre 1.5.2 - 1.78 - 2.0.12 + 1.78.1 + 2.0.13 5.10.2 From 10ddab60c1c8b4002355f33bc61e0a53a01628fa Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 16 May 2024 13:01:07 +0200 Subject: [PATCH 30/33] build project with JDK 22 (but keep multi release jar) also account for JDK-8308398 --- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/dependency-check.yml | 2 +- .github/workflows/publish-central.yml | 2 +- .github/workflows/publish-github.yml | 2 +- .idea/misc.xml | 2 +- pom.xml | 15 ++++++++++++++ src/main/java22/module-info.java | 27 ++++++++++++++++++++++++++ 8 files changed, 48 insertions(+), 6 deletions(-) create mode 100644 src/main/java22/module-info.java diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 57b9a8c..dff3a25 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -11,7 +11,7 @@ jobs: fetch-depth: 0 - uses: actions/setup-java@v4 with: - java-version: 21 + java-version: 22 distribution: 'temurin' cache: 'maven' - name: Cache SonarCloud packages diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 4286698..c687448 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -19,7 +19,7 @@ jobs: fetch-depth: 2 - uses: actions/setup-java@v4 with: - java-version: 21 + java-version: 22 distribution: 'temurin' cache: 'maven' - name: Initialize CodeQL diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml index 1458295..31dd104 100644 --- a/.github/workflows/dependency-check.yml +++ b/.github/workflows/dependency-check.yml @@ -14,7 +14,7 @@ jobs: with: runner-os: 'ubuntu-latest' java-distribution: 'temurin' - java-version: 21 + java-version: 22 secrets: nvd-api-key: ${{ secrets.NVD_API_KEY }} slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/publish-central.yml b/.github/workflows/publish-central.yml index afabe60..6f14836 100644 --- a/.github/workflows/publish-central.yml +++ b/.github/workflows/publish-central.yml @@ -15,7 +15,7 @@ jobs: ref: "refs/tags/${{ github.event.inputs.tag }}" - uses: actions/setup-java@v4 with: - java-version: 21 + java-version: 22 distribution: 'temurin' cache: 'maven' server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml diff --git a/.github/workflows/publish-github.yml b/.github/workflows/publish-github.yml index be60dec..b590555 100644 --- a/.github/workflows/publish-github.yml +++ b/.github/workflows/publish-github.yml @@ -10,7 +10,7 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-java@v4 with: - java-version: 21 + java-version: 22 distribution: 'temurin' cache: 'maven' gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import diff --git a/.idea/misc.xml b/.idea/misc.xml index 5e8e72e..a6632ff 100644 --- a/.idea/misc.xml +++ b/.idea/misc.xml @@ -8,5 +8,5 @@ - + \ No newline at end of file diff --git a/pom.xml b/pom.xml index f0499ac..481d2ab 100644 --- a/pom.xml +++ b/pom.xml @@ -171,6 +171,20 @@ true + + java22 + compile + + compile + + + 22 + + ${project.basedir}/src/main/java22 + + true + + @@ -228,6 +242,7 @@ --update --file=${project.build.directory}/${project.build.finalName}.jar META-INF/versions/9/module-info.class + META-INF/versions/22/module-info.class diff --git a/src/main/java22/module-info.java b/src/main/java22/module-info.java new file mode 100644 index 0000000..06e5d6a --- /dev/null +++ b/src/main/java22/module-info.java @@ -0,0 +1,27 @@ +import org.cryptomator.cryptolib.api.CryptorProvider; + +/** + * This module provides the highlevel cryptographic API used by Cryptomator. + * + * @uses CryptorProvider See {@link CryptorProvider#forScheme(CryptorProvider.Scheme)} + * @provides CryptorProvider Providers for {@link org.cryptomator.cryptolib.api.CryptorProvider.Scheme#SIV_CTRMAC SIV/CTR-then-MAC} + * and {@link org.cryptomator.cryptolib.api.CryptorProvider.Scheme#SIV_GCM SIV/GCM} + */ +module org.cryptomator.cryptolib { + requires static org.bouncycastle.provider; // will be shaded + requires static org.bouncycastle.pkix; // will be shaded + requires org.cryptomator.siv; + requires com.google.gson; + requires transitive com.google.common; + requires org.slf4j; + + exports org.cryptomator.cryptolib.api; + exports org.cryptomator.cryptolib.common; + + opens org.cryptomator.cryptolib.common to com.google.gson; + + uses CryptorProvider; + + provides CryptorProvider + with org.cryptomator.cryptolib.v1.CryptorProviderImpl, org.cryptomator.cryptolib.v2.CryptorProviderImpl; +} \ No newline at end of file From 50c34adc0f37eecf6ccdac63aa9ab8cab2eab939 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 16 May 2024 16:39:01 +0200 Subject: [PATCH 31/33] enforce jdk22 for building --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 481d2ab..5363a59 100644 --- a/pom.xml +++ b/pom.xml @@ -141,8 +141,8 @@ - You need at least JDK 11.0.3 to build this project. - [11.0.3,) + You need at least JDK 22 to build this project. + [22,) From 83a909716a400525156e318722c312f8eb3c3f91 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 16 May 2024 17:08:06 +0200 Subject: [PATCH 32/33] secure workflow --- .github/workflows/publish-central.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish-central.yml b/.github/workflows/publish-central.yml index 6f14836..f075bc2 100644 --- a/.github/workflows/publish-central.yml +++ b/.github/workflows/publish-central.yml @@ -24,10 +24,11 @@ jobs: gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase - name: Enforce project version ${{ github.event.inputs.tag }} - run: mvn versions:set -B -DnewVersion=${{ github.event.inputs.tag }} + run: mvn versions:set -B -DnewVersion=$GIT_TAG - name: Deploy run: mvn deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress env: + GIT_TAG: ${{ github.event.inputs.tag }} MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} MAVEN_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }} \ No newline at end of file From 29e4630c0e38e070587140b9b227b2c9fd2f99a5 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 16 May 2024 17:08:55 +0200 Subject: [PATCH 33/33] prepare 2.2.0 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 5363a59..a4080bc 100644 --- a/pom.xml +++ b/pom.xml @@ -2,7 +2,7 @@ 4.0.0 org.cryptomator cryptolib - 2.2.0-SNAPSHOT + 2.2.0 Cryptomator Crypto Library This library contains all cryptographic functions that are used by Cryptomator. https://github.com/cryptomator/cryptolib