Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package ongres-scram for openSUSE:Factory checked in at 2025-10-29 21:08:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ongres-scram (Old) and /work/SRC/openSUSE:Factory/.ongres-scram.new.1980 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ongres-scram" Wed Oct 29 21:08:24 2025 rev:7 rq:1314329 version:MACRO Changes: -------- --- /work/SRC/openSUSE:Factory/ongres-scram/ongres-scram.changes 2025-07-06 17:17:26.590621024 +0200 +++ /work/SRC/openSUSE:Factory/.ongres-scram.new.1980/ongres-scram.changes 2025-10-29 21:09:51.938718650 +0100 @@ -0,0 +1,9 @@ +------------------------------------------------------------------ +Tue Oct 28 08:51:14 UTC 2025 - Thomas Florio <[email protected]> + +- Version 3.2 + * Fix Timing Attack Vulnerability in SCRAM Authentication + (bsc#1250399, CVE-2025-59432) + * Updated dependencies and maven plugins + * Use central-publishing-maven-plugin to deploy to Maven Central. + Old: ---- scram-3.1.tar.gz New: ---- _scmsync.obsinfo build.specials.obscpio scram-3.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ongres-scram.spec ++++++ --- /var/tmp/diff_new_pack.AdVa4N/_old 2025-10-29 21:09:52.394737819 +0100 +++ /var/tmp/diff_new_pack.AdVa4N/_new 2025-10-29 21:09:52.398737988 +0100 @@ -17,12 +17,13 @@ %global upstream_name scram -%global upstream_version 3.1 +%global upstream_version 3.2 Name: ongres-%{upstream_name} Version: %(echo %{upstream_version} | sed 's/-/~/g') Release: 0 Summary: Salted Challenge Response Authentication Mechanism - Java Implementation License: BSD-2-Clause +Group: Development/Libraries/Java URL: https://github.com/ongres/%{upstream_name} Source0: https://github.com/ongres/%{upstream_name}/archive/%{upstream_version}/%{upstream_name}-%{upstream_version}.tar.gz BuildRequires: fdupes ++++++ _scmsync.obsinfo ++++++ mtime: 1761669868 commit: b7840c22f0d98f92a72b1ec9f396fbb7d0d1b532fa5dd0fbd6da033f1887b17d url: https://src.opensuse.org/java-packages/ongres-scram.git revision: b7840c22f0d98f92a72b1ec9f396fbb7d0d1b532fa5dd0fbd6da033f1887b17d projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2025-10-29 12:01:40.000000000 +0100 @@ -0,0 +1 @@ +.osc ++++++ scram-3.1.tar.gz -> scram-3.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/.github/dependabot.yml new/scram-3.2/.github/dependabot.yml --- old/scram-3.1/.github/dependabot.yml 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/.github/dependabot.yml 2025-09-16 21:53:03.000000000 +0200 @@ -5,9 +5,17 @@ - "/" - "/scram-client/src/it/jpms-scram-client" schedule: - interval: "weekly" + interval: "monthly" + groups: + all-maven-dependencies: + patterns: + - "*" - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "weekly" + interval: "monthly" + groups: + all-github-actions: + patterns: + - "*" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/.github/workflows/codeql.yml new/scram-3.2/.github/workflows/codeql.yml --- old/scram-3.1/.github/workflows/codeql.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/scram-3.2/.github/workflows/codeql.yml 2025-09-16 21:53:03.000000000 +0200 @@ -0,0 +1,71 @@ +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '42 10 * * 1' + +permissions: # added using https://github.com/step-security/secure-repo + contents: read + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: 'ubuntu-latest' + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: java-kotlin + build-mode: manual # This mode only analyzes Java. Set this to 'autobuild' or 'manual' to analyze Kotlin too. + steps: + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + - if: matrix.build-mode == 'manual' + name: Set up JDK 21 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0 + with: + java-version: '21' + distribution: 'temurin' + cache: maven + - if: matrix.build-mode == 'manual' + shell: bash + run: ./mvnw package -P release -DskipTests -Dmaven.javadoc.skip -Dgpg.skip + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8 + with: + category: "/language:${{matrix.language}}" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/.github/workflows/maven.yml new/scram-3.2/.github/workflows/maven.yml --- old/scram-3.1/.github/workflows/maven.yml 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/.github/workflows/maven.yml 2025-09-16 21:53:03.000000000 +0200 @@ -9,13 +9,16 @@ pull_request: branches: ["main"] +permissions: # added using https://github.com/step-security/secure-repo + contents: read + jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Set up JDK 21 - uses: actions/setup-java@v4 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0 with: java-version: '21' distribution: 'zulu' @@ -29,6 +32,6 @@ permissions: contents: write #required for POST snapshot API https://docs.github.com/en/rest/dependency-graph/dependency-submission#create-a-snapshot-of-dependencies-for-a-repository steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Update dependency graph - uses: advanced-security/maven-dependency-submission-action@5d0f9011b55d6268922128af45275986303459c3 + uses: advanced-security/maven-dependency-submission-action@b275d12641ac2d2108b2cbb7598b154ad2f2cee8 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/.github/workflows/scorecard.yml new/scram-3.2/.github/workflows/scorecard.yml --- old/scram-3.1/.github/workflows/scorecard.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/scram-3.2/.github/workflows/scorecard.yml 2025-09-16 21:53:03.000000000 +0200 @@ -0,0 +1,78 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 5 * * 2' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled. + if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore + # file_mode: git + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/.mvn/maven.config new/scram-3.2/.mvn/maven.config --- old/scram-3.1/.mvn/maven.config 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/.mvn/maven.config 2025-09-16 21:53:03.000000000 +0200 @@ -4,4 +4,4 @@ --fail-fast -DinstallAtEnd=true -DdeployAtEnd=true --DrootDirectory=${maven.multiModuleProjectDirectory} +-DrootDirectory=${session.rootDirectory} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/.mvn/wrapper/MavenWrapperDownloader.java new/scram-3.2/.mvn/wrapper/MavenWrapperDownloader.java --- old/scram-3.1/.mvn/wrapper/MavenWrapperDownloader.java 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/.mvn/wrapper/MavenWrapperDownloader.java 2025-09-16 21:53:03.000000000 +0200 @@ -30,7 +30,7 @@ import java.util.concurrent.ThreadLocalRandom; public final class MavenWrapperDownloader { - private static final String WRAPPER_VERSION = "3.3.2"; + private static final String WRAPPER_VERSION = "3.3.4"; private static final boolean VERBOSE = Boolean.parseBoolean(System.getenv("MVNW_VERBOSE")); @@ -45,8 +45,11 @@ try { log(" - Downloader started"); final URL wrapperUrl = URI.create(args[0]).toURL(); - final String jarPath = args[1].replace("..", ""); // Sanitize path - final Path wrapperJarPath = Paths.get(jarPath).toAbsolutePath().normalize(); + final Path baseDir = Paths.get(".").toAbsolutePath().normalize(); + final Path wrapperJarPath = baseDir.resolve(args[1]).normalize(); + if (!wrapperJarPath.startsWith(baseDir)) { + throw new IOException("Invalid path: outside of allowed directory"); + } downloadFileFromURL(wrapperUrl, wrapperJarPath); log("Done"); } catch (IOException e) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/.mvn/wrapper/maven-wrapper.properties new/scram-3.2/.mvn/wrapper/maven-wrapper.properties --- old/scram-3.1/.mvn/wrapper/maven-wrapper.properties 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/.mvn/wrapper/maven-wrapper.properties 2025-09-16 21:53:03.000000000 +0200 @@ -1,23 +1,7 @@ -# Licensed to the Apache Software Foundation (ASF) under one -# or more contributor license agreements. See the NOTICE file -# distributed with this work for additional information -# regarding copyright ownership. The ASF licenses this file -# to you under the Apache License, Version 2.0 (the -# "License"); you may not use this file except in compliance -# with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, -# software distributed under the License is distributed on an -# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -# KIND, either express or implied. See the License for the -# specific language governing permissions and limitations -# under the License. -wrapperVersion=3.3.2 +wrapperVersion=3.3.4 distributionType=source -distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.8/apache-maven-3.9.8-bin.zip -distributionSha256Sum=8351955a9acf2f83c136c4eee0f6db894ab6265fdbe0a94b32a380307dbaa3e1 -wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar -wrapperSha256Sum=3d8f20ce6103913be8b52aef6d994e0c54705fb527324ceb9b835b338739c7a8 +distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.11/apache-maven-3.9.11-bin.zip +distributionSha256Sum=0d7125e8c91097b36edb990ea5934e6c68b4440eef4ea96510a0f6815e7eeadb +wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.4/maven-wrapper-3.3.4.jar +wrapperSha256Sum=4e2fbf6554bc8a4702cdfdd3bef464f423393d784ddbb037216320ce55d5e4e1 alwaysUnpack=true diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/CHANGELOG.md new/scram-3.2/CHANGELOG.md --- old/scram-3.1/CHANGELOG.md 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/CHANGELOG.md 2025-09-16 21:53:03.000000000 +0200 @@ -3,6 +3,14 @@ ## [Unreleased] +## [3.2] - 2025-09-16 +### :lock: Security +- Fix Timing Attack Vulnerability in SCRAM Authentication + +### :ghost: Maintenance +- Updated dependencies and maven plugins. +- Use `central-publishing-maven-plugin` to deploy to Maven Central. + ## [3.1] - 2024-06-26 ### :building_construction: Improvements - Ensure the `LICENSE` file is included in the Jar file. @@ -38,4 +46,5 @@ [3.0]: https://github.com/ongres/scram/compare/2.1...3.0 [3.1]: https://github.com/ongres/scram/compare/3.0...3.1 -[Unreleased]: https://github.com/ongres/scram/compare/3.1...main +[3.2]: https://github.com/ongres/scram/compare/3.1...3.2 +[Unreleased]: https://github.com/ongres/scram/compare/3.2...main diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/README.md new/scram-3.2/README.md --- old/scram-3.1/README.md 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/README.md 2025-09-16 21:53:03.000000000 +0200 @@ -1,8 +1,16 @@ # SCRAM Java Implementation + +[](https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/com/ongres/scram/README.md) + + +> Salted Challenge Response Authentication Mechanism (SCRAM) + +## Overview + SCRAM (Salted Challenge Response Authentication Mechanism) is part of the family of Simple Authentication and Security Layer -([SASL, RFC 4422](https://datatracker.ietf.org/doc/html/rfc44222)) authentication mechanisms. It is described as part of [RFC 5802](https://datatracker.ietf.org/doc/html/rfc5802) and +([SASL, RFC 4422](https://datatracker.ietf.org/doc/html/rfc4422)) authentication mechanisms. It is described as part of [RFC 5802](https://datatracker.ietf.org/doc/html/rfc5802) and [RFC 7677](https://datatracker.ietf.org/doc/html/rfc7677). This project provides a robust and well-tested implementation of the Salted Challenge @@ -25,6 +33,8 @@ ## How to use the SCRAM Client API +[](https://maven-badges.herokuapp.com/maven-central/com.ongres.scram/scram-client) + Javadoc: [](http://javadoc.io/doc/com.ongres.scram/scram-client) ### Example of use: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/SECURITY.md new/scram-3.2/SECURITY.md --- old/scram-3.1/SECURITY.md 1970-01-01 01:00:00.000000000 +0100 +++ new/scram-3.2/SECURITY.md 2025-09-16 21:53:03.000000000 +0200 @@ -0,0 +1,25 @@ +# Security Policy + +## Supported Versions + +The following table outlines which versions of `scram` are actively supported with security updates. Please upgrade to a supported release to ensure you receive patches for any security issues. + +| Version | Supported | Java support | +| ------- | ------------------ | ------------ | +| 3.x | :white_check_mark: | Java 8+ | +| < 3.0 | :x: | Java 7+ | + +## Reporting a Vulnerability + +If you believe you have found a security vulnerability, please report it to us privately through GitHub’s security advisory system: +[Report a vulnerability](../../security/advisories/new) + +We will investigate promptly and work with you to fix the issue. + +--- + +## Security Best Practices for Users + +- Always use the latest supported version of `scram`. +- Monitor [GitHub Releases](https://github.com/ongres/scram/releases) for security patches. +- Consider subscribing to repository notifications for updates. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/checks/forbiddenapis.txt new/scram-3.2/checks/forbiddenapis.txt --- old/scram-3.1/checks/forbiddenapis.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/scram-3.2/checks/forbiddenapis.txt 2025-09-16 21:53:03.000000000 +0200 @@ -0,0 +1,2 @@ + +java.util.Arrays#equals(byte[],byte[]) @ Replace with java.security.MessageDigest#isEqual(byte[],byte[]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/checks/pmd-ruleset.xml new/scram-3.2/checks/pmd-ruleset.xml --- old/scram-3.1/checks/pmd-ruleset.xml 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/checks/pmd-ruleset.xml 2025-09-16 21:53:03.000000000 +0200 @@ -15,6 +15,7 @@ <exclude name="ForLoopVariableCount" /> <exclude name="AvoidReassigningLoopVariables" /> <exclude name="AccessorClassGeneration" /> + <exclude name="ImplicitFunctionalInterface" /> </rule> <rule ref="category/java/errorprone.xml"> @@ -23,6 +24,12 @@ <exclude name="AvoidFieldNameMatchingMethodName" /> </rule> + <rule ref="category/java/errorprone.xml/AssignmentInOperand"> + <properties> + <property name="allowIncrementDecrement" value="true" /> + </properties> + </rule> + <rule ref="category/java/multithreading.xml" /> <rule ref="category/java/performance.xml"> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/coverage-report/pom.xml new/scram-3.2/coverage-report/pom.xml --- old/scram-3.1/coverage-report/pom.xml 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/coverage-report/pom.xml 2025-09-16 21:53:03.000000000 +0200 @@ -5,7 +5,7 @@ <parent> <groupId>com.ongres.scram</groupId> <artifactId>scram-parent</artifactId> - <version>3.1</version> + <version>3.2</version> <relativePath>../scram-parent/pom.xml</relativePath> </parent> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/mvnw new/scram-3.2/mvnw --- old/scram-3.1/mvnw 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/mvnw 2025-09-16 21:53:03.000000000 +0200 @@ -19,7 +19,7 @@ # ---------------------------------------------------------------------------- # ---------------------------------------------------------------------------- -# Apache Maven Wrapper startup batch script, version 3.3.2 +# Apache Maven Wrapper startup batch script, version 3.3.4 # # Required ENV vars: # ------------------ @@ -201,6 +201,14 @@ export MAVEN_PROJECTBASEDIR log "$MAVEN_PROJECTBASEDIR" +trim() { + # MWRAPPER-139: + # Trims trailing and leading whitespace, carriage returns, tabs, and linefeeds. + # Needed for removing poorly interpreted newline sequences when running in more + # exotic environments such as mingw bash on Windows. + printf "%s" "${1}" | tr -d '[:space:]' +} + ########################################################################################## # Extension to allow automatically downloading the maven-wrapper.jar from Maven-central # This allows using the maven wrapper in projects that prohibit checking in binary data. @@ -212,15 +220,13 @@ log "Couldn't find $wrapperJarPath, downloading it ..." if [ -n "$MVNW_REPOURL" ]; then - wrapperUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar" + wrapperUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.3.4/maven-wrapper-3.3.4.jar" else - wrapperUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"; + wrapperUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.4/maven-wrapper-3.3.4.jar"; fi while IFS="=" read -r key value; do - # Remove '\r' from value to allow usage on windows as IFS does not consider '\r' as a separator ( considers space, tab, new line ('\n'), and custom '=' ) - safeValue=$(echo "$value" | tr -d '\r') case "$key" in wrapperUrl) - wrapperUrl="$safeValue" + wrapperUrl=$(trim "${value-}") break ;; esac @@ -235,17 +241,17 @@ log "Found wget ... using wget" [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--quiet" if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then - wget $QUIET "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath" + wget ${QUIET:+"$QUIET"} "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath" else - wget $QUIET --http-user="$MVNW_USERNAME" --http-password="$MVNW_PASSWORD" "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath" + wget ${QUIET:+"$QUIET"} --http-user="$MVNW_USERNAME" --http-password="$MVNW_PASSWORD" "$wrapperUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath" fi elif command -v curl >/dev/null; then log "Found curl ... using curl" [ "$MVNW_VERBOSE" = true ] && QUIET="" || QUIET="--silent" if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then - curl $QUIET -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath" + curl ${QUIET:+"$QUIET"} -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath" else - curl $QUIET --user "$MVNW_USERNAME:$MVNW_PASSWORD" -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath" + curl ${QUIET:+"$QUIET"} --user "$MVNW_USERNAME:$MVNW_PASSWORD" -o "$wrapperJarPath" "$wrapperUrl" -f -L || rm -f "$wrapperJarPath" fi else log "Falling back to using Java to download" @@ -276,7 +282,7 @@ wrapperSha256Sum="" while IFS="=" read -r key value; do case "$key" in wrapperSha256Sum) - wrapperSha256Sum=$value + wrapperSha256Sum=$(trim "${value-}") break ;; esac @@ -284,7 +290,7 @@ if [ -n "$wrapperSha256Sum" ]; then wrapperSha256Result=false if command -v sha256sum >/dev/null; then - if echo "$wrapperSha256Sum $wrapperJarPath" | sha256sum -c >/dev/null 2>&1; then + if echo "$wrapperSha256Sum $wrapperJarPath" | sha256sum -c - >/dev/null 2>&1; then wrapperSha256Result=true fi elif command -v shasum >/dev/null; then diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/mvnw.cmd new/scram-3.2/mvnw.cmd --- old/scram-3.1/mvnw.cmd 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/mvnw.cmd 2025-09-16 21:53:03.000000000 +0200 @@ -18,7 +18,7 @@ @REM ---------------------------------------------------------------------------- @REM ---------------------------------------------------------------------------- -@REM Apache Maven Wrapper startup batch script, version 3.3.2 +@REM Apache Maven Wrapper startup batch script, version 3.3.4 @REM @REM Required ENV vars: @REM JAVA_HOME - location of a JDK home dir @@ -119,7 +119,7 @@ set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar" set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain -set WRAPPER_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar"; +set WRAPPER_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.3.4/maven-wrapper-3.3.4.jar"; FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO ( IF "%%A"=="wrapperUrl" SET WRAPPER_URL=%%B @@ -133,7 +133,7 @@ ) ) else ( if not "%MVNW_REPOURL%" == "" ( - SET WRAPPER_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.3.2/maven-wrapper-3.3.2.jar" + SET WRAPPER_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.3.4/maven-wrapper-3.3.4.jar" ) if "%MVNW_VERBOSE%" == "true" ( echo Couldn't find %WRAPPER_JAR%, downloading it ... diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/pom.xml new/scram-3.2/pom.xml --- old/scram-3.1/pom.xml 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/pom.xml 2025-09-16 21:53:03.000000000 +0200 @@ -5,7 +5,7 @@ <parent> <groupId>com.ongres.scram</groupId> <artifactId>scram-parent</artifactId> - <version>3.1</version> + <version>3.2</version> <relativePath>scram-parent/pom.xml</relativePath> </parent> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/scram-client/pom.xml new/scram-3.2/scram-client/pom.xml --- old/scram-3.1/scram-client/pom.xml 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/scram-client/pom.xml 2025-09-16 21:53:03.000000000 +0200 @@ -5,7 +5,7 @@ <parent> <groupId>com.ongres.scram</groupId> <artifactId>scram-parent</artifactId> - <version>3.1</version> + <version>3.2</version> <relativePath>../scram-parent/pom.xml</relativePath> </parent> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/scram-client/src/it/jpms-scram-client/pom.xml new/scram-3.2/scram-client/src/it/jpms-scram-client/pom.xml --- old/scram-3.1/scram-client/src/it/jpms-scram-client/pom.xml 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/scram-client/src/it/jpms-scram-client/pom.xml 2025-09-16 21:53:03.000000000 +0200 @@ -7,7 +7,7 @@ <groupId>com.ongres.scram.it</groupId> <artifactId>jpms-scram-client</artifactId> <name>JPMS Scram Client</name> - <version>3.1</version> + <version>3.2</version> <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> @@ -25,7 +25,7 @@ <dependency> <groupId>org.junit.jupiter</groupId> <artifactId>junit-jupiter</artifactId> - <version>5.10.2</version> + <version>5.13.4</version> <scope>test</scope> </dependency> </dependencies> @@ -34,7 +34,7 @@ <plugins> <plugin> <artifactId>maven-compiler-plugin</artifactId> - <version>3.13.0</version> + <version>3.14.0</version> </plugin> <plugin> <artifactId>maven-jar-plugin</artifactId> @@ -42,7 +42,7 @@ </plugin> <plugin> <artifactId>maven-surefire-plugin</artifactId> - <version>3.3.0</version> + <version>3.5.4</version> </plugin> </plugins> </build> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/scram-client/src/test/java/com/example/ScramClientTest.java new/scram-3.2/scram-client/src/test/java/com/example/ScramClientTest.java --- old/scram-3.1/scram-client/src/test/java/com/example/ScramClientTest.java 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/scram-client/src/test/java/com/example/ScramClientTest.java 2025-09-16 21:53:03.000000000 +0200 @@ -15,11 +15,9 @@ import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Arrays; -import java.util.Base64; import com.ongres.scram.client.ScramClient; import com.ongres.scram.common.ClientFinalMessage; -import com.ongres.scram.common.exception.ScramParseException; import com.ongres.scram.common.util.TlsServerEndpoint; import org.junit.jupiter.api.Test; @@ -76,4 +74,38 @@ } return cert; } + + @Test + void iterationTest() + throws CertificateException, IOException { + final X509Certificate cert = getCert(); + final byte[] channelBindingData = TlsServerEndpoint.getChannelBindingData(cert); + + ScramClient scramSession = ScramClient.builder() + .advertisedMechanisms(Arrays.asList("SCRAM-SHA-256")) + .username("postgres") + .password("pencil".toCharArray()) + .channelBinding(TlsServerEndpoint.TLS_SERVER_END_POINT, channelBindingData) + .nonceSupplier(() -> "1q^MGrWUi{etW+H7(#k431kB") + .build(); + assertEquals("SCRAM-SHA-256", scramSession.getScramMechanism().getName()); + assertEquals("y,,n=postgres,r=1q^MGrWUi{etW+H7(#k431kB", + scramSession.clientFirstMessage().toString()); + + assertDoesNotThrow( + () -> scramSession.serverFirstMessage( + "r=1q^MGrWUi{etW+H7(#k431kBdAr3CWX7B6houDP4f7Z2XEpZ," + + "s=Fgh8JU2AlRjBHUsIU/GgtQ==," + + "i=1000000")); + + ClientFinalMessage clientFinalMessage = scramSession.clientFinalMessage(); + assertEquals( + "c=eSws," + + "r=1q^MGrWUi{etW+H7(#k431kBdAr3CWX7B6houDP4f7Z2XEpZ," + + "p=vQ3IyYl3LvjWOlK2c0IP5QAi6XB7Dm0Axo0V51DcHZA=", + clientFinalMessage.toString()); + + assertDoesNotThrow( + () -> scramSession.serverFinalMessage("v=sz/isCwVSUn/TBWeYABz6WaoZIcfsui9NPaJCoxxAjY=")); + } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/scram-common/pom.xml new/scram-3.2/scram-common/pom.xml --- old/scram-3.1/scram-common/pom.xml 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/scram-common/pom.xml 2025-09-16 21:53:03.000000000 +0200 @@ -5,7 +5,7 @@ <parent> <groupId>com.ongres.scram</groupId> <artifactId>scram-parent</artifactId> - <version>3.1</version> + <version>3.2</version> <relativePath>../scram-parent/pom.xml</relativePath> </parent> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java new/scram-3.2/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java --- old/scram-3.1/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java 2025-09-16 21:53:03.000000000 +0200 @@ -7,8 +7,8 @@ import static java.nio.charset.StandardCharsets.UTF_8; +import java.security.MessageDigest; import java.security.SecureRandom; -import java.util.Arrays; import com.ongres.scram.common.util.Preconditions; import org.jetbrains.annotations.NotNull; @@ -190,8 +190,7 @@ byte[] clientSignature = clientSignature(scramMechanism, storedKey, authMessage); byte[] clientKey = CryptoUtil.xor(clientSignature, clientProof); byte[] computedStoredKey = hash(scramMechanism, clientKey); - - return Arrays.equals(storedKey, computedStoredKey); + return MessageDigest.isEqual(storedKey, computedStoredKey); } /** @@ -205,7 +204,8 @@ */ public static boolean verifyServerSignature( ScramMechanism scramMechanism, byte[] serverKey, String authMessage, byte[] serverSignature) { - return Arrays.equals(serverSignature(scramMechanism, serverKey, authMessage), serverSignature); + byte[] computedServerSignature = serverSignature(scramMechanism, serverKey, authMessage); + return MessageDigest.isEqual(serverSignature, computedServerSignature); } /** diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/scram-3.1/scram-parent/pom.xml new/scram-3.2/scram-parent/pom.xml --- old/scram-3.1/scram-parent/pom.xml 2024-06-26 02:50:00.000000000 +0200 +++ new/scram-3.2/scram-parent/pom.xml 2025-09-16 21:53:03.000000000 +0200 @@ -4,7 +4,7 @@ <groupId>com.ongres.scram</groupId> <artifactId>scram-parent</artifactId> - <version>3.1</version> + <version>3.2</version> <packaging>pom</packaging> <name>SCRAM - Parent</name> @@ -44,7 +44,7 @@ <scm child.scm.connection.inherit.append.path="false" child.scm.developerConnection.inherit.append.path="false" child.scm.url.inherit.append.path="false"> <connection>scm:git:https://github.com/ongres/scram.git</connection> <developerConnection>scm:git:[email protected]:ongres/scram.git</developerConnection> - <tag>3.1</tag> + <tag>3.2</tag> <url>https://github.com/ongres/scram</url> </scm> @@ -53,59 +53,46 @@ <url>https://github.com/ongres/scram/issues</url> </issueManagement> - <distributionManagement> - <repository> - <id>ossrh</id> - <name>OSSRH Release repository</name> - <url>https://oss.sonatype.org/service/local/staging/deploy/maven2</url> - </repository> - <snapshotRepository> - <id>ossrh</id> - <name>OSSRH Snapshot repository</name> - <url>https://oss.sonatype.org/content/repositories/snapshots</url> - </snapshotRepository> - </distributionManagement> - <properties> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <base.java.version>8</base.java.version> <maven.compiler.source>${base.java.version}</maven.compiler.source> <maven.compiler.target>${base.java.version}</maven.compiler.target> - <project.build.outputTimestamp>2024-06-26T00:50:00Z</project.build.outputTimestamp> + <project.build.outputTimestamp>2025-09-16T20:00:00Z</project.build.outputTimestamp> <!-- Dependency versions --> - <jetbrains-annotations.version>24.1.0</jetbrains-annotations.version> - <junit5.version>5.10.2</junit5.version> + <jetbrains-annotations.version>26.0.2-1</jetbrains-annotations.version> + <junit5.version>5.13.4</junit5.version> <saslprep.version>2.2</saslprep.version> <!-- Plugins versions --> - <compiler-plugin.version>3.13.0</compiler-plugin.version> + <compiler-plugin.version>3.14.0</compiler-plugin.version> <jar-plugin.version>3.4.2</jar-plugin.version> <source-plugin.version>3.3.1</source-plugin.version> - <javadoc-plugin.version>3.7.0</javadoc-plugin.version> - <clean-plugin.version>3.4.0</clean-plugin.version> + <javadoc-plugin.version>3.11.3</javadoc-plugin.version> + <clean-plugin.version>3.5.0</clean-plugin.version> <resources-plugin.version>3.3.1</resources-plugin.version> - <surefire-plugin.version>3.3.0</surefire-plugin.version> - <failsafe-plugin.version>3.3.0</failsafe-plugin.version> - <enforcer-plugin.version>3.5.0</enforcer-plugin.version> - <install-plugin.version>3.1.2</install-plugin.version> - <deploy-plugin.version>3.1.2</deploy-plugin.version> - <invoker-plugin.version>3.7.0</invoker-plugin.version> - <gpg-plugin.version>3.2.4</gpg-plugin.version> - <jacoco-plugin.verson>0.8.12</jacoco-plugin.verson> - <flatten-maven-plugin.version>1.6.0</flatten-maven-plugin.version> + <surefire-plugin.version>3.5.4</surefire-plugin.version> + <failsafe-plugin.version>3.5.4</failsafe-plugin.version> + <enforcer-plugin.version>3.6.1</enforcer-plugin.version> + <install-plugin.version>3.1.4</install-plugin.version> + <central-publishing-maven-plugin.version>0.8.0</central-publishing-maven-plugin.version> + <invoker-plugin.version>3.9.1</invoker-plugin.version> + <gpg-plugin.version>3.2.8</gpg-plugin.version> + <jacoco-plugin.verson>0.8.13</jacoco-plugin.verson> + <flatten-maven-plugin.version>1.7.2</flatten-maven-plugin.version> <jdeps-plugin.version>3.1.2</jdeps-plugin.version> <sortpom-plugin.version>4.0.0</sortpom-plugin.version> - <cyclonedx-plugin.version>2.8.0</cyclonedx-plugin.version> + <cyclonedx-plugin.version>2.9.1</cyclonedx-plugin.version> <!-- Checkstyle, SpotBugs and PMD properties --> - <checkstyle.version>10.17.0</checkstyle.version> - <checkstyle-plugin.version>3.4.0</checkstyle-plugin.version> - <errorprone.version>2.28.0</errorprone.version> - <spotbugs.version>4.8.6</spotbugs.version> - <spotbugs-plugin.version>4.8.5.0</spotbugs-plugin.version> - <findsecbugs.version>1.13.0</findsecbugs.version> - <pmd.version>7.2.0</pmd.version> - <pmd-plugin.version>3.23.0</pmd-plugin.version> - <forbiddenapis.version>3.7</forbiddenapis.version> + <checkstyle.version>11.0.1</checkstyle.version> + <checkstyle-plugin.version>3.6.0</checkstyle-plugin.version> + <errorprone.version>2.41.0</errorprone.version> + <spotbugs.version>4.9.5</spotbugs.version> + <spotbugs-plugin.version>4.9.5.0</spotbugs-plugin.version> + <findsecbugs.version>1.14.0</findsecbugs.version> + <pmd.version>7.17.0</pmd.version> + <pmd-plugin.version>3.27.0</pmd-plugin.version> + <forbiddenapis.version>3.9</forbiddenapis.version> <checks.location>${rootDirectory}/checks</checks.location> <checkstyle.config.location>${checks.location}/checkstyle.xml</checkstyle.config.location> <checkstyle.suppressions.location>${checks.location}/checkstyle-suppressions.xml</checkstyle.suppressions.location> @@ -353,9 +340,13 @@ <version>${install-plugin.version}</version> </plugin> <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-deploy-plugin</artifactId> - <version>${deploy-plugin.version}</version> + <groupId>org.sonatype.central</groupId> + <artifactId>central-publishing-maven-plugin</artifactId> + <version>${central-publishing-maven-plugin.version}</version> + <extensions>true</extensions> + <configuration> + <publishingServerId>central</publishingServerId> + </configuration> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> @@ -375,7 +366,7 @@ <configuration> <rules> <requireMavenVersion> - <version>[3.9.7,)</version> + <version>[3.9.9,)</version> </requireMavenVersion> <requireJavaVersion> <version>[21,)</version> @@ -487,6 +478,7 @@ <compilerArgs> <arg>-Xlint:all</arg> <arg>-XDcompilePolicy=simple</arg> + <arg>--should-stop=ifError=FLOW</arg> <arg>-Xplugin:ErrorProne -XepAllErrorsAsWarnings -XepDisableWarningsInGeneratedCode</arg> <!-- Required on JDK 16+ due to JEP 396 --> <arg>-J--add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED</arg> @@ -529,6 +521,9 @@ <!-- don't allow System.out or System.err: --> <bundledSignature>jdk-system-out</bundledSignature> </bundledSignatures> + <signaturesFiles> + <signaturesFile>${checks.location}/forbiddenapis.txt</signaturesFile> + </signaturesFiles> </configuration> <executions> <execution> @@ -695,6 +690,10 @@ <groupId>org.cyclonedx</groupId> <artifactId>cyclonedx-maven-plugin</artifactId> </plugin> + <plugin> + <groupId>org.sonatype.central</groupId> + <artifactId>central-publishing-maven-plugin</artifactId> + </plugin> </plugins> </build> </profile>
