Merge branch 'release/2.0.7'

infeo · infeo · commit 55b350a2a9ce · 2024-10-31T12:39:37.000+01:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,6 +1,8 @@
 name: Build
 on:
-  [push]
+  push:
+  pull_request_target:
+    types: [labeled]
 jobs:
   build:
     name: Build and Test
@@ -29,9 +31,9 @@ jobs:
           name: artifacts
           path: target/*.jar
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         if: startsWith(github.ref, 'refs/tags/')
         with:
           prerelease: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
-          generate_release_notes: true
+          generate_release_notes: true
diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
@@ -10,54 +10,11 @@ on:
 
 jobs:
   check-dependencies:
-    name: Check dependencies
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          show-progress: false
-      - name: Setup Java
-        uses: actions/setup-java@v4
-        with:
-          java-version: 17
-          distribution: 'temurin'
-          cache: 'maven'
-      - name: Cache NVD DB
-        uses: actions/cache@v4
-        with:
-          path: ~/.m2/repository/org/owasp/dependency-check-data/
-          key: dependency-check-${{ github.run_id }}
-          restore-keys: |
-            dependency-check
-        env:
-          SEGMENT_DOWNLOAD_TIMEOUT_MINS: 5
-      - name: Run org.owasp:dependency-check plugin
-        id: dependency-check
-        continue-on-error: true
-        run: mvn -B validate -Pdependency-check
-        env:
-          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
-      - name: Upload report on failure
-        if: steps.dependency-check.outcome == 'failure'
-        uses: actions/upload-artifact@v4
-        with:
-          name: dependency-check-report
-          path: target/dependency-check-report.html
-          if-no-files-found: error
-      - name: Slack Notification on regular check
-        if: github.event_name == 'schedule' && steps.dependency-check.outcome == 'failure'
-        uses: rtCamp/action-slack-notify@v2
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
-          SLACK_USERNAME: 'Cryptobot'
-          SLACK_ICON: false
-          SLACK_ICON_EMOJI: ':bot:'
-          SLACK_CHANNEL: 'cryptomator-desktop'
-          SLACK_TITLE: "Vulnerabilities in ${{ github.event.repository.name }} detected."
-          SLACK_MESSAGE: "Download the <https://github.com/${{ github.repository }}/actions/run/${{ github.run_id }}|report> for more details."
-          SLACK_FOOTER: false
-          MSG_MINIMAL: true
-      - name: Failing workflow on release branch
-        if: github.event_name == 'push' && steps.dependency-check.outcome == 'failure'
-        shell: bash
-        run: exit 1
+    uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@v1
+    with:
+      runner-os: 'ubuntu-latest'
+      java-distribution: 'temurin'
+      java-version: 21
+    secrets:
+      nvd-api-key: ${{ secrets.NVD_API_KEY }}
+      slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/.github/workflows/publish-central.yml b/.github/workflows/publish-central.yml
@@ -21,8 +21,6 @@ jobs:
           server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml
           server-username: MAVEN_USERNAME # env variable for username in deploy
           server-password: MAVEN_PASSWORD # env variable for token in deploy
-          gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
-          gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
       - name: Enforce project version ${{ github.event.inputs.tag }}
         run: mvn versions:set -B -DnewVersion=${{ github.event.inputs.tag }}
       - name: Deploy
@@ -35,4 +33,6 @@ jobs:
             --add-opens=java.desktop/java.awt.font=ALL-UNNAMED
           MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }}
           MAVEN_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
-          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
+          MAVEN_GPG_KEY_FINGERPRINT: "58117AFA1F85B3EEC154677D615D449FE6E6A235"
diff --git a/.github/workflows/publish-github.yml b/.github/workflows/publish-github.yml
@@ -13,15 +13,15 @@ jobs:
           java-version: 21
           distribution: 'temurin'
           cache: 'maven'
-          gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
-          gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
       - name: Enforce project version ${{ github.event.release.tag_name }}
         run: mvn versions:set -B -DnewVersion=${{ github.event.release.tag_name }}
       - name: Deploy
         run: mvn deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
+          MAVEN_GPG_KEY_FINGERPRINT: "58117AFA1F85B3EEC154677D615D449FE6E6A235"
       - name: Slack Notification
         uses: rtCamp/action-slack-notify@v2
         env:
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>webdav-nio-adapter</artifactId>
-	<version>2.0.6</version>
+	<version>2.0.7</version>
 	<name>WebDAV-NIO Adapter</name>
 	<description>Embedded Jetty serving a WebDAV servlet to access resources at a given NIO path.</description>
 	<url>https://github.com/cryptomator/webdav-nio-adapter</url>
@@ -19,19 +19,25 @@
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
 		<!-- dependencies -->
-		<integrations-api.version>1.3.0</integrations-api.version>
-		<webdavservlet.version>1.2.5</webdavservlet.version>
-		<jetty.version>10.0.20</jetty.version>
-		<slf4j.version>2.0.11</slf4j.version>
+		<integrations-api.version>1.4.0</integrations-api.version>
+		<webdavservlet.version>1.2.6</webdavservlet.version>
+		<jetty.version>10.0.24</jetty.version>
+		<slf4j.version>2.0.16</slf4j.version>
 
 		<!-- test dependencies -->
-		<junit.jupiter.version>5.10.1</junit.jupiter.version>
+		<junit.jupiter.version>5.11.0</junit.jupiter.version>
 
 		<!-- mvn plugin dependencies -->
-		<dependency-check.version>9.0.9</dependency-check.version>
-		<jacoco.version>0.8.11</jacoco.version>
-		<nexus-staging.version>1.6.13</nexus-staging.version>
-		<maven.deploy.version>3.1.1</maven.deploy.version>
+		<mvn-compiler.version>3.13.0</mvn-compiler.version>
+		<mvn-surefire.version>3.5.1</mvn-surefire.version>
+		<mvn-jar.version>3.4.2</mvn-jar.version>
+		<mvn-source.version>3.3.1</mvn-source.version>
+		<mvn-javadoc.version>3.10.1</mvn-javadoc.version>
+		<mvn-deploy.version>3.1.3</mvn-deploy.version>
+		<mvn-gpg.version>3.2.7</mvn-gpg.version>
+		<dependency-check.version>11.1.0</dependency-check.version>
+		<jacoco.version>0.8.12</jacoco.version>
+		<nexus-staging.version>1.7.0</nexus-staging.version>
 	</properties>
 
 	<licenses>
@@ -82,7 +88,7 @@
 		<dependency>
 			<groupId>org.jetbrains</groupId>
 			<artifactId>annotations</artifactId>
-			<version>24.1.0</version>
+			<version>26.0.1</version>
 			<scope>provided</scope>
 		</dependency>
 
@@ -113,7 +119,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.12.1</version>
+				<version>${mvn-compiler.version}</version>
 				<configuration>
 					<release>${project.build.jdk}</release>
 					<showWarnings>true</showWarnings>
@@ -122,16 +128,16 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
-				<version>3.2.5</version>
+				<version>${mvn-surefire.version}</version>
 			</plugin>
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-jar-plugin</artifactId>
-				<version>3.3.0</version>
+				<version>${mvn-jar.version}</version>
 			</plugin>
 			<plugin>
 				<artifactId>maven-source-plugin</artifactId>
-				<version>3.3.0</version>
+				<version>${mvn-source.version}</version>
 				<executions>
 					<execution>
 						<id>attach-sources</id>
@@ -143,7 +149,7 @@
 			</plugin>
 			<plugin>
 				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>3.6.3</version>
+				<version>${mvn-javadoc.version}</version>
 				<executions>
 					<execution>
 						<id>attach-javadocs</id>
@@ -171,7 +177,7 @@
 							<skipTestScope>true</skipTestScope>
 							<detail>true</detail>
 							<suppressionFile>suppression.xml</suppressionFile>
-							<nvdApiKey>${env.NVD_API_KEY}</nvdApiKey>
+							<nvdApiKeyEnvironmentVariable>NVD_API_KEY</nvdApiKeyEnvironmentVariable>
 						</configuration>
 						<executions>
 							<execution>
@@ -219,7 +225,7 @@
 				<plugins>
 					<plugin>
 						<artifactId>maven-gpg-plugin</artifactId>
-						<version>3.1.0</version>
+						<version>${mvn-gpg.version}</version>
 						<executions>
 							<execution>
 								<id>sign-artifacts</id>
@@ -228,10 +234,7 @@
 									<goal>sign</goal>
 								</goals>
 								<configuration>
-									<gpgArguments>
-										<arg>--pinentry-mode</arg>
-										<arg>loopback</arg>
-									</gpgArguments>
+									<signer>bc</signer>
 								</configuration>
 							</execution>
 						</executions>
@@ -280,7 +283,7 @@
 					<plugin>
 						<groupId>org.apache.maven.plugins</groupId>
 						<artifactId>maven-deploy-plugin</artifactId>
-						<version>${maven.deploy.version}</version>
+						<version>${mvn-deploy.version}</version>
 					</plugin>
 				</plugins>
 			</build>
diff --git a/suppression.xml b/suppression.xml
@@ -29,5 +29,13 @@
 		<vulnerabilityName>CVE-2020-8908</vulnerabilityName>
 		<cve>CVE-2020-8908</cve>
 	</suppress>
+	<suppress>
+   		<notes><![CDATA[
+			The project does not use the HttpURI class at all, so no decoded user data is passed to it.
+			See also https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh.
+		]]></notes>
+   		<packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty-http@.*$</packageUrl>
+   		<vulnerabilityName>CVE-2024-6763</vulnerabilityName>
+</suppress>
 
-</suppressions>
+</suppressions>
