Bump Jackson dependency version to 2.11.0

Author: emlun

NEWS

@@ -1,3 +1,12 @@
+== Version 1.6.3 (unreleased) ==
+
+- Bumped Jackson dependency to version 2.11.0 in response to CVEs:
+  - CVE-2020-9546
+  - CVE-2020-10672
+  - CVE-2020-10969
+  - CVE-2020-11620
+
+
 == Version 1.6.2 ==
 
 - Fixed dependencies missing from release POM metadata

build.gradle

@@ -51,9 +51,9 @@ allprojects {
 Map<String, String> dependencyVersions = [
   'ch.qos.logback:logback-classic:1.2.3',
   'com.augustcellars.cose:cose-java:1.0.0',
-  'com.fasterxml.jackson.core:jackson-databind:2.9.10.3',
-  'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.9.10',
-  'com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.9.10',
+  'com.fasterxml.jackson.core:jackson-databind:2.11.0',
+  'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.11.0',
+  'com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.11.0',
   'com.google.guava:guava:19.0',
   'com.upokecenter:cbor:4.0.1',
   'javax.activation:activation:1.1.1',

webauthn-server-core/src/test/scala/com/yubico/scalacheck/gen/JacksonGenerators.scala

@@ -50,7 +50,7 @@ object JacksonGenerators {
       } yield {
         val o = jsonFactory.objectNode()
         for { (name, value) <- names.zip(values) } {
-          o.set(name, value)
+          o.set[ObjectNode](name, value)
         }
         o
       }

webauthn-server-core/src/test/scala/com/yubico/webauthn/RegistrationTestData.scala

@@ -316,7 +316,7 @@ case class RegistrationTestData(
   )
 
   def editClientData(name: String, value: JsonNode): RegistrationTestData = editClientData { clientData: ObjectNode =>
-    clientData.set(name, value)
+    clientData.set[ObjectNode](name, value)
   }
   def editClientData(name: String, value: String): RegistrationTestData = editClientData(name, RegistrationTestData.jsonFactory.textNode(value))
   def responseChallenge: ByteArray = clientData.getChallenge

webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyRegistrationSpec.scala

@@ -414,7 +414,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with ScalaCheck
 
         it("Verification succeeds if client data specifies token binding is unsupported, and RP does not use it.") {
           val steps = finishRegistration(testData = RegistrationTestData.FidoU2f.BasicAttestation
-            .editClientData(_.without("tokenBinding"))
+            .editClientData(_.without[ObjectNode]("tokenBinding"))
           )
           val step: FinishRegistrationSteps#Step6 = steps.begin.next.next.next.next.next
 
@@ -435,7 +435,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with ScalaCheck
         it("Verification fails if client data does not specify token binding status and RP specifies token binding ID.") {
           val steps = finishRegistration(
             callerTokenBindingId = Some(ByteArray.fromBase64Url("YELLOWSUBMARINE")),
-            testData = RegistrationTestData.FidoU2f.BasicAttestation.editClientData(_.without("tokenBinding"))
+            testData = RegistrationTestData.FidoU2f.BasicAttestation.editClientData(_.without[ObjectNode]("tokenBinding"))
           )
           val step: FinishRegistrationSteps#Step6 = steps.begin.next.next.next.next.next
 
@@ -447,7 +447,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with ScalaCheck
         it("Verification succeeds if client data does not specify token binding status and RP does not specify token binding ID.") {
           val steps = finishRegistration(
             callerTokenBindingId = None,
-            testData = RegistrationTestData.FidoU2f.BasicAttestation.editClientData(_.without("tokenBinding"))
+            testData = RegistrationTestData.FidoU2f.BasicAttestation.editClientData(_.without[ObjectNode]("tokenBinding"))
           )
           val step: FinishRegistrationSteps#Step6 = steps.begin.next.next.next.next.next
 
@@ -493,7 +493,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with ScalaCheck
           it("Verification fails if RP specifies token binding ID but client does not support it.") {
             val steps = finishRegistration(
               callerTokenBindingId = Some(ByteArray.fromBase64Url("YELLOWSUBMARINE")),
-              testData = RegistrationTestData.FidoU2f.BasicAttestation.editClientData(_.without("tokenBinding"))
+              testData = RegistrationTestData.FidoU2f.BasicAttestation.editClientData(_.without[ObjectNode]("tokenBinding"))
             )
             val step: FinishRegistrationSteps#Step6 = steps.begin.next.next.next.next.next
 
@@ -796,7 +796,7 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with ScalaCheck
           it("a fido-u2f attestation is still rejected if invalid.") {
             val testData = RegistrationTestData.FidoU2f.BasicAttestation.updateAttestationObject("attStmt", { attStmtNode: JsonNode =>
               attStmtNode.asInstanceOf[ObjectNode]
-                .set("sig", jsonFactory.binaryNode(Array(0, 0, 0, 0)))
+                .set[ObjectNode]("sig", jsonFactory.binaryNode(Array(0, 0, 0, 0)))
             })
             val steps = finishRegistration(
               testData = testData,
@@ -1457,33 +1457,33 @@ class RelyingPartyRegistrationSpec extends FunSpec with Matchers with ScalaCheck
             describe("1. Verify that attStmt is valid CBOR conforming to the syntax defined above and perform CBOR decoding on it to extract the contained fields.") {
               it("Fails if attStmt.ver is a number value.") {
                 val testData = defaultTestData
-                  .updateAttestationObject("attStmt", attStmt => attStmt.asInstanceOf[ObjectNode].set("ver", jsonFactory.numberNode(123)))
+                  .updateAttestationObject("attStmt", attStmt => attStmt.asInstanceOf[ObjectNode].set[ObjectNode]("ver", jsonFactory.numberNode(123)))
                 checkFails(testData)
               }
 
               it("Fails if attStmt.ver is missing.") {
                 val testData = defaultTestData
-                  .updateAttestationObject("attStmt", attStmt => attStmt.asInstanceOf[ObjectNode].without("ver"))
+                  .updateAttestationObject("attStmt", attStmt => attStmt.asInstanceOf[ObjectNode].without[ObjectNode]("ver"))
                 checkFails(testData)
               }
 
               it("Fails if attStmt.response is a text value.") {
                 val testData = defaultTestData
-                  .updateAttestationObject("attStmt", attStmt => attStmt.asInstanceOf[ObjectNode].set("response", jsonFactory.textNode(new ByteArray(attStmt.get("response").binaryValue()).getBase64Url)))
+                  .updateAttestationObject("attStmt", attStmt => attStmt.asInstanceOf[ObjectNode].set[ObjectNode]("response", jsonFactory.textNode(new ByteArray(attStmt.get("response").binaryValue()).getBase64Url)))
                 checkFails(testData)
               }
 
               it("Fails if attStmt.response is missing.") {
                 val testData = defaultTestData
-                  .updateAttestationObject("attStmt", attStmt => attStmt.asInstanceOf[ObjectNode].without("response"))
+                  .updateAttestationObject("attStmt", attStmt => attStmt.asInstanceOf[ObjectNode].without[ObjectNode]("response"))
                 checkFails(testData)
               }
             }
 
             describe("2. Verify that response is a valid SafetyNet response of version ver.") {
               it("Fails if there's a difference in the signature.") {
                 val testData = defaultTestData
-                  .updateAttestationObject("attStmt", attStmt => attStmt.asInstanceOf[ObjectNode].set("response", jsonFactory.binaryNode(editByte(new ByteArray(attStmt.get("response").binaryValue()), 2000, b => ((b + 1) % 26 + 0x41).toByte).getBytes)))
+                  .updateAttestationObject("attStmt", attStmt => attStmt.asInstanceOf[ObjectNode].set[ObjectNode]("response", jsonFactory.binaryNode(editByte(new ByteArray(attStmt.get("response").binaryValue()), 2000, b => ((b + 1) % 26 + 0x41).toByte).getBytes)))
 
                 val result: Try[Boolean] = Try(verifier.verifyAttestationSignature(
                   new AttestationObject(testData.attestationObject),

webauthn-server-core/src/test/scala/com/yubico/webauthn/TestAuthenticator.scala

@@ -160,7 +160,7 @@ object TestAuthenticator {
       clientDataJson: String,
     ): ByteArray = {
       val f = JsonNodeFactory.instance
-      val attObj = f.objectNode().setAll(Map(
+      val attObj = f.objectNode().setAll[ObjectNode](Map(
         "authData" -> f.binaryNode(authDataBytes.getBytes),
         "fmt" -> f.textNode(format),
         "attStmt" -> makeAttestationStatement(authDataBytes, clientDataJson),

webauthn-server-core/src/test/scala/com/yubico/webauthn/data/Generators.scala

@@ -103,12 +103,12 @@ object Generators {
     alg <- arbitrary[COSEAlgorithmIdentifier]
     sig <- arbitrary[ByteArray]
     x5c <- arbitrary[List[ByteArray]]
-    attStmt = jsonFactory.objectNode().setAll(Map(
+    attStmt = jsonFactory.objectNode().setAll[ObjectNode](Map(
       "alg" -> jsonFactory.numberNode(alg.getId),
       "sig" -> jsonFactory.binaryNode(sig.getBytes),
       "x5c" -> jsonFactory.arrayNode().addAll(x5c.map(cert => jsonFactory.binaryNode(cert.getBytes)).asJava)
     ).asJava)
-    attObj = jsonFactory.objectNode().setAll(Map(
+    attObj = jsonFactory.objectNode().setAll[ObjectNode](Map(
       "authData" -> jsonFactory.binaryNode(authData.getBytes),
       "fmt" -> jsonFactory.textNode("packed"),
       "attStmt" -> attStmt
@@ -120,11 +120,11 @@ object Generators {
     alg <- arbitrary[COSEAlgorithmIdentifier]
     sig <- arbitrary[ByteArray]
     x5c <- arbitrary[List[ByteArray]]
-    attStmt = jsonFactory.objectNode().setAll(Map(
+    attStmt = jsonFactory.objectNode().setAll[ObjectNode](Map(
       "sig" -> jsonFactory.binaryNode(sig.getBytes),
       "x5c" -> jsonFactory.arrayNode().addAll(x5c.map(cert => jsonFactory.binaryNode(cert.getBytes)).asJava)
     ).asJava)
-    attObj = jsonFactory.objectNode().setAll(Map(
+    attObj = jsonFactory.objectNode().setAll[ObjectNode](Map(
       "authData" -> jsonFactory.binaryNode(authData.getBytes),
       "fmt" -> jsonFactory.textNode("fido-u2f"),
       "attStmt" -> attStmt
@@ -223,15 +223,15 @@ object Generators {
         .set("type", jsonFactory.textNode(tpe)).asInstanceOf[ObjectNode]
 
       tokenBinding.asScala foreach { tb =>
-        json.set("tokenBinding", JacksonCodecs.json().readTree(JacksonCodecs.json().writeValueAsString(tb)))
+        json.set[ObjectNode]("tokenBinding", JacksonCodecs.json().readTree(JacksonCodecs.json().writeValueAsString(tb)))
       }
 
       authenticatorExtensions.asScala foreach { ae =>
-        json.set("authenticatorExtensions", JacksonCodecs.json().readTree(JacksonCodecs.json().writeValueAsString(ae)))
+        json.set[ObjectNode]("authenticatorExtensions", JacksonCodecs.json().readTree(JacksonCodecs.json().writeValueAsString(ae)))
       }
 
       clientExtensions.asScala foreach { ce =>
-        json.set("clientExtensions", JacksonCodecs.json().readTree(JacksonCodecs.json().writeValueAsString(ce)))
+        json.set[ObjectNode]("clientExtensions", JacksonCodecs.json().readTree(JacksonCodecs.json().writeValueAsString(ce)))
       }
 
       json