Release 2.1.0

`webauthn-server-core`:

Changes:

- Log messages on attestation certificate path validation failure now include
  the attestation object.

Deprecations:

- Deprecated method `AssertionResult.getCredentialId(): ByteArray`. Use
  `.getCredential().getCredentialId()` instead.
- Deprecated method `AssertionResult.getUserHandle(): ByteArray`. Use
  `.getCredential().getUserHandle()` instead.

New features:

- Added method `FidoMetadataDownloader.refreshBlob()`.
- Added function `COSEAlgorithmIdentifier.fromPublicKey(ByteArray)`.
- Added method `AssertionResult.getCredential(): RegisteredCredential`.
- Added support for the `"tpm"` attestation statement format.
- Added support for ES384 and ES512 signature algorithms.
- Added property `policyTreeValidator` to `TrustRootsResult`. If set, the given
  predicate function will be used to validate the certificate policy tree after
  successful attestation certificate path validation. This may be required for
  some JCA providers to accept attestation certificates with critical
  certificate policy extensions. See the JavaDoc for
  `TrustRootsResultBuilder.policyTreeValidator(Predicate)` for more information.
- Added enum value `AttestationConveyancePreference.ENTERPRISE`.
- (Experimental) Added constant `AuthenticatorTransport.HYBRID`.

Fixes:

- Fixed various typos and mistakes in JavaDocs.
- Moved version constraints for test dependencies from meta-module
  `webauthn-server-parent` to unpublished test meta-module.
- `yubico-util` dependency removed from downstream compile scope.
- Fixed missing JavaDoc on `TrustRootsResult` getters and builder setters.

`webauthn-server-attestation`:

Changes:

- The `AuthenticatorToBeFiltered` argument of the `FidoMetadataService` runtime
  filter now omits zero AAGUIDs.
- Promoted log messages in `FidoMetadataDownloader` about BLOB signature failure
  and cache corruption from DEBUG level to WARN level.

Fixes:

- Fixed various typos and mistakes in JavaDocs.
- `FidoMetadataDownloader` now verifies the SHA-256 hash of the cached trust
  root certificate, as promised in the JavaDoc of `useTrustRootCacheFile` and
  `useTrustRootCache`.
- BouncyCastle dependency dropped.
- Guava dependency dropped (but still remains in core module).
- If BLOB download fails, `FidoMetadataDownloader` now correctly falls back to
  cache if available.

.github/actions/pit-results-badge/action.yml

@@ -0,0 +1,49 @@
+name: Create Shields.io badge from PIT mutation test results
+author: Emil Lundberg <[email protected]>
+description: |
+  Parses a [PIT][pitest] report file and outputs a [Shields.io][shields]
+  [endpoint badge][endpoint] definition file.
+
+  [endpoint]: https://shields.io/endpoint
+  [pitest]: https://pitest.org/
+  [shields]: https://shields.io/
+
+inputs:
+  cache-seconds:
+    default: 3600
+    description: Passed through as cacheSeconds to Shields.io.
+
+  label:
+    default: "mutation coverage"
+    description: Label for the left side of the badge.
+
+  mutations-file:
+    default: build/reports/pitest/mutations.xml
+    description: Path to the PIT report XML file.
+
+  output-file:
+    required: true
+    description: Path to write output file to.
+
+runs:
+  using: "composite"
+
+  steps:
+    - name: Install yq (and xq)
+      shell: bash
+      run: pip install yq
+
+    - name: Create coverage badge
+      shell: bash
+      run: |
+        cat ${{ inputs.mutations-file }} \
+        | xq '.mutations.mutation
+          | (map(select(.["@detected"] == "true")) | length) / length
+          | {
+              schemaVersion: 1,
+              label: "${{ inputs.label }}",
+              message: "\(. * 100 | floor | tostring) %",
+              color: "hsl(\(. * 120 | floor | tostring), 100%, 40%)",
+              cacheSeconds: ${{ inputs.cache-seconds }},
+            }' \
+        > ${{ inputs.output-file }}

.github/actions/pit-results-comment/action.yml

@@ -0,0 +1,56 @@
+name: Post PIT mutation test results comment
+author: Emil Lundberg <[email protected]>
+description: |
+  Parses a [PIT][pitest] report file, compares it to a previous report,
+  and posts a summary as a commit comment to the commit that triggered the workflow.
+
+  [pitest]: https://pitest.org/
+
+inputs:
+  mutations-file:
+    default: build/reports/pitest/mutations.xml
+    description: Path to the PIT report XML file.
+
+  prev-commit:
+    default: ''
+    description: |
+      The full commit SHA of the previous run of this action.
+      If set, the comment will include a link to the previous commit.
+
+  prev-mutations-file:
+    required: true
+    description: Path to the PIT report XML file from the previous run of this action.
+
+  token:
+    default: ${{ github.token }}
+    description: GITHUB_TOKEN or a PAT with permission to write commit comments.
+
+runs:
+  using: "composite"
+
+  steps:
+    - name: Install yq (and xq)
+      shell: bash
+      run: pip install yq
+
+    - name: Post results comment
+      shell: bash
+      run: |
+        RESULTS_COMMENT_FILE=$(mktemp)
+        NEW_STATS_FILE=$(mktemp)
+        PREV_STATS_FILE=$(mktemp)
+
+        ./.github/actions/pit-results-comment/compute-stats.sh "${{ inputs.mutations-file }}" > "${NEW_STATS_FILE}"
+
+        if [[ -f "${{ inputs.prev-mutations-file }}" ]]; then
+          ./.github/actions/pit-results-comment/compute-stats.sh "${{ inputs.prev-mutations-file }}" > "${PREV_STATS_FILE}"
+        else
+          echo 'Previous mutations file not found, using current as placeholder.'
+          cp "${NEW_STATS_FILE}" "${PREV_STATS_FILE}"
+        fi
+
+        ./.github/actions/pit-results-comment/stats-to-comment.sh "${PREV_STATS_FILE}" "${NEW_STATS_FILE}" "${{ inputs.prev-commit }}" > "${RESULTS_COMMENT_FILE}"
+
+        curl -X POST \
+           -H "Authorization: Bearer ${{ inputs.token }}" \
+           ${{ github.api_url }}/repos/${{ github.repository }}/commits/${{ github.sha }}/comments -d @"${RESULTS_COMMENT_FILE}"

.github/actions/pit-results-comment/compute-stats.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+xq '.mutations.mutation
+  | group_by(.mutatedClass | split(".") | .[:-1])
+  | INDEX(.[0].mutatedClass | split(".") | .[:-1] | join("."))
+  | map_values({
+      detected: (map(select(.["@detected"] == "true")) | length),
+      mutations: length,
+    })
+' "${1}"

.github/actions/pit-results-comment/stats-to-comment.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+make-contents() {
+  cat << EOF
+## Mutation test results
+
+Package | Coverage | Stats | Prev | Prev |
+------- | --------:|:-----:| ----:|:----:|
+EOF
+
+  jq -s '.[0] as $old | .[1] as $new
+    | {
+      packages: (
+        $old | keys
+        | map({
+            ("`\(.)`"): {
+              before: {
+                detected: $old[.].detected,
+                mutations: $old[.].mutations,
+              },
+              after: {
+                detected: $new[.].detected,
+                mutations: $new[.].mutations,
+              },
+              percentage_diff: (($new[.].detected / $new[.].mutations - $old[.].detected / $old[.].mutations) * 100 | round),
+            },
+          })
+        | add
+      ),
+      overall: {
+        before: {
+          detected: [($old[] | .detected)] | add,
+          mutations: [($old[] | .mutations)] | add,
+        },
+        after: {
+          detected: [($new[] | .detected)] | add,
+          mutations: [($new[] | .mutations)] | add,
+        },
+        percentage_diff: (
+          (
+            ([($new[] | .detected)] | add) / ([($new[] | .mutations)] | add)
+            - ([($old[] | .detected)] | add) / ([($old[] | .mutations)] | add)
+          ) * 100 | round
+        ),
+      },
+    }
+    | { ("**Overall**"): .overall } + .packages
+    | to_entries
+    | .[]
+    | def difficon:
+        if .after.detected == .after.mutations then ":trophy:"
+        elif .percentage_diff > 0 then ":green_circle:"
+        elif .percentage_diff < 0 then ":small_red_triangle_down:"
+        else ":small_blue_diamond:"
+        end;
+      def triangles:
+        if . > 0 then ":small_red_triangle:"
+        elif . < 0 then ":small_red_triangle_down:"
+        else ":small_blue_diamond:"
+        end;
+      "\(.key) | **\(.value.after.detected / .value.after.mutations * 100 | floor) %** \(.value | difficon) | \(.value.after.detected) \(.value.after.detected - .value.before.detected | triangles) / \(.value.after.mutations) \(.value.after.mutations - .value.before.mutations | triangles)| \(.value.before.detected / .value.before.mutations * 100 | floor) % | \(.value.before.detected) / \(.value.before.mutations)"
+  ' \
+    "${1}" "${2}" --raw-output
+
+  if [[ -n "${3}" ]]; then
+    cat << EOF
+
+Previous run: ${3}
+EOF
+
+    cat << EOF
+
+Detailed reports: [workflow run #${GITHUB_RUN_NUMBER}](/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID})
+EOF
+  fi
+
+}
+
+make-contents "$@" | python -c 'import json; import sys; print(json.dumps({"body": sys.stdin.read()}))'

.github/dependabot.yml

@@ -6,3 +6,13 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+
+    ignore:
+      # Spotless patch updates are too noisy
+      - dependency-name: "spotless-plugin-gradle"
+        update-types: ["version-update:semver-patch"]
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/build.yml

@@ -1,41 +1,58 @@
 # This name is shown in the status badge in the README
 name: build
 
-on: [push, pull_request]
+on:
+  push:
+    branches-ignore:
+      - 'tmp**'
+  pull_request:
+    branches-ignore:
+      - 'tmp**'
 
 jobs:
   test:
-    name: JDK ${{matrix.java}}
+    name: JDK ${{ matrix.java }} ${{ matrix.distribution }}
 
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [8, 11, 16]
+        java: [8, 11, 17, 18]
+        distribution: [temurin]
+        include:
+          - java: 17
+            distribution: zulu
+          - java: 17
+            distribution: microsoft
+
+    outputs:
+        report-java: 17
+        report-dist: temurin
 
     steps:
     - name: Check out code
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
 
     - name: Set up JDK
-      uses: actions/setup-java@v1
+      uses: actions/setup-java@v3
       with:
         java-version: ${{ matrix.java }}
+        distribution: ${{ matrix.distribution }}
 
     - name: Run tests
       run: ./gradlew cleanTest test
 
     - name: Archive HTML test report
       if: ${{ always() }}
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v3
       with:
-        name: test-reports-java${{ matrix.java }}-html
+        name: test-reports-java${{ matrix.java }}-${{ matrix.distribution }}-html
         path: "*/build/reports/**"
 
     - name: Archive JUnit test report
       if: ${{ always() }}
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v3
       with:
-        name: test-reports-java${{ matrix.java }}-xml
+        name: test-reports-java${{ matrix.java }}-${{ matrix.distribution }}-xml
         path: "*/build/test-results/**/*.xml"
 
     - name: Build JavaDoc
@@ -47,11 +64,17 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ always() && github.event_name == 'pull_request' }}
 
+    permissions:
+      checks: write
+      pull-requests: write
+
     steps:
     - name: Download artifacts
-      uses: actions/download-artifact@v2
+      uses: actions/download-artifact@v3
+      with:
+        name: test-reports-java${{ needs.test.outputs.report-java }}-${{ needs.test.outputs.report-dist }}-xml
 
     - name: Publish test results
-      uses: EnricoMi/publish-unit-test-result-action@v1
+      uses: EnricoMi/publish-unit-test-result-action@v2
       with:
         files: "**/*.xml"

.github/workflows/code-formatting.yml

@@ -1,7 +1,13 @@
 # This name is shown in the status badge in the README
 name: code-formatting
 
-on: [push, pull_request]
+on:
+  push:
+    branches-ignore:
+      - 'tmp**'
+  pull_request:
+    branches-ignore:
+      - 'tmp**'
 
 jobs:
   test:
@@ -10,16 +16,18 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [11]
+        java: [17]
+        distribution: [temurin]
 
     steps:
     - name: Check out code
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
 
     - name: Set up JDK
-      uses: actions/setup-java@v1
+      uses: actions/setup-java@v3
       with:
         java-version: ${{ matrix.java }}
+        distribution: ${{ matrix.distribution }}
 
     - name: Check code formatting
       run: ./gradlew spotlessCheck

.github/workflows/codeql-analysis.yml

@@ -2,8 +2,12 @@ name: "Code scanning - action"
 
 on:
   push:
-    branches-ignore: 'dependabot/**'
+    branches-ignore:
+      - 'dependabot/**'
+      - 'tmp**'
   pull_request:
+    branches-ignore:
+      - 'tmp**'
   schedule:
     - cron: '0 12 * * 2'
 
@@ -12,17 +16,21 @@ jobs:
 
     runs-on: ubuntu-latest
 
+    permissions:
+      security-events: write
+
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
-    - uses: actions/setup-java@v1
+    - uses: actions/setup-java@v3
       with:
-        java-version: '11'
+        java-version: 17
+        distribution: temurin
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: java
 
@@ -31,4 +39,4 @@ jobs:
         ./gradlew jar
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2