Merge branch 'release/1.5.1'

Author: infeo

.github/dependabot.yml

@@ -6,11 +6,36 @@ updates:
       interval: "monthly"
       day: "monday"
       time: "06:00"
-      timezone: "UTC"
+      timezone: "Etc/UTC"
     groups:
-      maven-dependencies:
+      java-test-dependencies:
+        patterns:
+          - "org.junit.jupiter:*"
+          - "org.mockito:*"
+          - "org.hamcrest:*"
+          - "org.openjdk.jmh:*"
+          - "com.google.guava:guava"
+      maven-build-plugins:
+        patterns:
+          - "org.apache.maven.plugins:*"
+          - "org.jacoco:jacoco-maven-plugin"
+          - "org.codehaus.mojo:versions-maven-plugin"
+          - "org.owasp:dependency-check-maven"
+          - "org.sonatype.plugins:nexus-staging-maven-plugin"
+      java-production-dependencies:
         patterns:
           - "*"
+        exclude-patterns:
+          - "org.junit.jupiter:*"
+          - "org.mockito:*"
+          - "org.hamcrest:*"
+          - "org.openjdk.jmh:*"
+          - "com.google.guava:guava"
+          - "org.apache.maven.plugins:*"
+          - "org.jacoco:jacoco-maven-plugin"
+          - "org.codehaus.mojo:versions-maven-plugin"
+          - "org.owasp:dependency-check-maven"
+          - "org.sonatype.plugins:nexus-staging-maven-plugin"
 
   - package-ecosystem: "github-actions"
     directory: "/" # even for `.github/workflows`

.github/workflows/build.yml

@@ -5,38 +5,37 @@ jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
-    if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')"
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           java-version: 21
           distribution: 'zulu'
           cache: 'maven'
       - name: Cache SonarCloud packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
       - name: Ensure to use tagged version
         if: startsWith(github.ref, 'refs/tags/')
-        run: ./mvnw versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
+        run: ./mvnw -B versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
       - name: Build and Test
         run: >
           ./mvnw -B verify
           jacoco:report
           org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
-          -Pcoverage,dependency-check
+          -Pcoverage
           -Dsonar.projectKey=cryptomator_siv-mode
           -Dsonar.organization=cryptomator
           -Dsonar.host.url=https://sonarcloud.io
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: artifacts
           path: target/*.jar
@@ -50,11 +49,11 @@ jobs:
           } >> $GITHUB_OUTPUT
       - name: Create Release
         if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
           body: |-
-            ## Maven Coordinates
+            ### Maven Coordinates
             ```xml
               <dependency>
                 <groupId>org.cryptomator</groupId>
@@ -63,10 +62,10 @@ jobs:
               </dependency>
             ```
 
-            ## Artifact Checksums
+            ### Artifact Checksums
             ```txt
             ${{ steps.checksums.outputs.sha256 }}
             ```
 
-            See [README.md](../#reproducible-builds) section regarding reproducing this build.
+            See [README.md](https://github.com/cryptomator/siv-mode/#reproducible-builds) section regarding reproducing this build.
           generate_release_notes: true

.github/workflows/codeql-analysis.yml

@@ -13,21 +13,31 @@ jobs:
   analyse:
     name: Analyse
     runs-on: ubuntu-latest
-    if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')"
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     steps:
-    - uses: actions/checkout@v4
+    - name: Checkout repository
+      uses: actions/checkout@v4
       with:
         fetch-depth: 2
-    - uses: actions/setup-java@v3
+    - name: Set up Java
+      uses: actions/setup-java@v4
       with:
         java-version: 21
         distribution: 'zulu'
         cache: 'maven'
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: java
-    - name: Build and Test
+        config: |
+          queries:
+            - uses: security-and-quality
+    - name: Build
       run: ./mvnw -B install -DskipTests
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:java"

.github/workflows/dependency-check.yml

@@ -0,0 +1,20 @@
+name: OWASP Maven Dependency Check
+on:
+  schedule:
+    - cron: '0 7 * * 0'
+  push:
+    branches:
+      - 'release/**'
+  workflow_dispatch:
+
+
+jobs:
+  check-dependencies:
+    uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@v1
+    with:
+      runner-os: 'ubuntu-latest'
+      java-distribution: 'zulu'
+      java-version: 21
+    secrets:
+      nvd-api-key: ${{ secrets.NVD_API_KEY }}
+      slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/publish-central.yml

@@ -13,7 +13,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: "refs/tags/${{ github.event.inputs.tag }}"
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           java-version: 21
           distribution: 'zulu'
@@ -23,10 +23,10 @@ jobs:
           server-password: MAVEN_PASSWORD # env variable for token in deploy
           gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
           gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
-      - name: Verify project version = ${{ github.event.release.tag_name }}
+      - name: Verify project version = ${{ github.event.inputs.tag }}
         run: |
           PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
-          test "$PROJECT_VERSION" = "${{ github.event.release.tag_name }}"
+          test "$PROJECT_VERSION" = "${{ github.event.inputs.tag }}"
       - name: Deploy
         run: ./mvnw deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress
         env:

.github/workflows/publish-github.yml

@@ -8,7 +8,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/') # only allow publishing tagged versions
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           java-version: 21
           distribution: 'zulu'

.snyk

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>siv-mode</artifactId>
-	<version>1.5.0</version>
+	<version>1.5.1</version>
 
 	<name>SIV Mode</name>
 	<description>RFC 5297 SIV mode: deterministic authenticated encryption</description>
@@ -35,31 +35,34 @@
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<project.build.outputTimestamp>2023-10-06T15:38:57Z</project.build.outputTimestamp>
+		<project.build.outputTimestamp>2024-04-15T10:23:33Z</project.build.outputTimestamp>
 
 		<!-- dependencies -->
-		<bouncycastle.version>1.70</bouncycastle.version>
+		<bouncycastle.version>1.78</bouncycastle.version>
 
 		<!-- test dependencies -->
-		<junit.version>5.10.0</junit.version>
-		<mockito.version>5.5.0</mockito.version>
+		<junit.version>5.10.2</junit.version>
+		<mockito.version>5.11.0</mockito.version>
 		<jmh.version>1.37</jmh.version>
 		<hamcrest.version>2.2</hamcrest.version>
-		<guava.version>32.1.2-jre</guava.version>
+		<guava.version>33.1.0-jre</guava.version>
+
+		<!-- maven plugins -->
+		<dependency-check.version>9.1.0</dependency-check.version>
 	</properties>
 
 	<dependencies>
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcprov-jdk15on</artifactId>
+			<artifactId>bcprov-jdk18on</artifactId>
 			<version>${bouncycastle.version}</version>
 			<!-- see maven-shade-plugin; we don't want this as a transitive dependency in other projects -->
 			<optional>true</optional>
 		</dependency>
 		<dependency>
 			<groupId>org.jetbrains</groupId>
 			<artifactId>annotations</artifactId>
-			<version>24.0.1</version>
+			<version>24.1.0</version>
 			<scope>provided</scope>
 		</dependency>
 
@@ -107,7 +110,7 @@
 			<plugin>
 				<groupId>org.codehaus.mojo</groupId>
 				<artifactId>versions-maven-plugin</artifactId>
-				<version>2.9.0</version>
+				<version>2.16.2</version>
 			</plugin>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
@@ -133,7 +136,7 @@
 			</plugin>
 			<plugin>
 				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.11.0</version>
+				<version>3.13.0</version>
 				<configuration>
 					<release>8</release>
 					<encoding>UTF-8</encoding>
@@ -159,7 +162,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
-				<version>3.1.2</version>
+				<version>3.2.5</version>
 			</plugin>
 			<plugin>
 				<artifactId>maven-jar-plugin</artifactId>
@@ -187,7 +190,7 @@
 			</plugin>
 			<plugin>
 				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>3.6.0</version>
+				<version>3.6.3</version>
 				<executions>
 					<execution>
 						<id>attach-javadocs</id>
@@ -207,7 +210,7 @@
 			</plugin>
 			<plugin>
 				<artifactId>maven-shade-plugin</artifactId>
-				<version>3.5.1</version>
+				<version>3.5.2</version>
 				<executions>
 					<execution>
 						<phase>package</phase>
@@ -253,19 +256,21 @@
 					<plugin>
 						<groupId>org.owasp</groupId>
 						<artifactId>dependency-check-maven</artifactId>
-						<version>8.4.0</version>
+						<version>${dependency-check.version}</version>
 						<configuration>
-							<cveValidForHours>24</cveValidForHours>
+							<nvdValidForHours>24</nvdValidForHours>
 							<failBuildOnCVSS>0</failBuildOnCVSS>
 							<skipTestScope>true</skipTestScope>
 							<detail>true</detail>
 							<suppressionFile>suppression.xml</suppressionFile>
+							<nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
 						</configuration>
 						<executions>
 							<execution>
 								<goals>
 									<goal>check</goal>
 								</goals>
+								<phase>validate</phase>
 							</execution>
 						</executions>
 					</plugin>
@@ -280,7 +285,7 @@
 					<plugin>
 						<groupId>org.jacoco</groupId>
 						<artifactId>jacoco-maven-plugin</artifactId>
-						<version>0.8.10</version>
+						<version>0.8.11</version>
 						<executions>
 							<execution>
 								<id>prepare-agent</id>
@@ -306,7 +311,7 @@
 				<plugins>
 					<plugin>
 						<artifactId>maven-gpg-plugin</artifactId>
-						<version>3.1.0</version>
+						<version>3.2.2</version>
 						<executions>
 							<execution>
 								<id>sign-artifacts</id>

pom.xml

@@ -8,4 +8,12 @@
 		<gav regex="true">org\.bouncycastle:bcprov-jdk15on:.*</gav>
 		<cve>CVE-2023-33201</cve>
 	</suppress>
-</suppressions>
+	<suppress>
+   		<notes><![CDATA[
+   	file name: bcprov-jdk15on-1.70.jar
+	Reason: PEMParser is not used
+   	]]></notes>
+   		<packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcprov\-jdk15on@.*$</packageUrl>
+   		<cve>CVE-2023-33202</cve>
+	</suppress>
+</suppressions>