Yubico
diff --git a/‎.github/workflows/build.yml
Lines changed: 9 additions & 2 deletions b/‎.github/workflows/build.yml
Lines changed: 9 additions & 2 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml
Lines changed: 8 additions & 12 deletions b/‎.github/workflows/codeql-analysis.yml
Lines changed: 8 additions & 12 deletions
diff --git a/‎.github/workflows/coverage.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/coverage.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎NEWS
Lines changed: 17 additions & 0 deletions b/‎NEWS
Lines changed: 17 additions & 0 deletions
diff --git a/‎README
Lines changed: 28 additions & 2 deletions b/‎README
Lines changed: 28 additions & 2 deletions
diff --git a/‎build.gradle
Lines changed: 13 additions & 10 deletions b/‎build.gradle
Lines changed: 13 additions & 10 deletions
diff --git a/‎buildSrc/build.gradle
Lines changed: 1 addition & 1 deletion b/‎buildSrc/build.gradle
Lines changed: 1 addition & 1 deletion
diff --git a/‎doc/development.md
Lines changed: 16 additions & 0 deletions b/‎doc/development.md
Lines changed: 16 additions & 0 deletions
diff --git a/‎doc/releasing.md
Lines changed: 9 additions & 7 deletions b/‎doc/releasing.md
Lines changed: 9 additions & 7 deletions
diff --git a/‎gradle/wrapper/gradle-wrapper.jar
508 Bytes b/‎gradle/wrapper/gradle-wrapper.jar
508 Bytes
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [8, 11, 13]
+        java: [8, 11, 15]
 
     steps:
     - name: Check out code
@@ -22,7 +22,14 @@ jobs:
         java-version: ${{ matrix.java }}
 
     - name: Run tests
-      run: ./gradlew check
+      run: ./gradlew cleanTest check
+
+    - name: Archive test report
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v2
+      with:
+        name: test-reports
+        path: "*/build/reports/**"
 
     - name: Build JavaDoc
       run: ./gradlew assembleJavadoc
@@ -14,24 +14,20 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v2
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
 
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
+    - uses: actions/setup-java@v1
+      with:
+        java-version: '11'
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v1
+      with:
+        languages: java
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+    - name: Build project
+      run: |
+        ./gradlew jar
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v1
@@ -7,7 +7,7 @@ on:
 
 jobs:
   test:
-    name: JDK ${{matrix.java}}
+    name: Measure mutation test coverage
 
     runs-on: ubuntu-latest
 
 
@@ -1,3 +1,20 @@
+== Version 1.8.0 ==
+
+Changes:
+
+* BouncyCastle dependency is now optional.
+
+  In order to opt out, depend on `webauthn-server-core-minimal` instead of
+  `webauthn-server-core`.
+  This is not recommended unless you know your JVM includes JCA providers for
+  all signature algorithms.
+
+  Note that `webauthn-server-attestation` still depends on BouncyCastle.
+
+* Jackson deserializer for `PublicKeyCredential` now allows a `rawId` property
+  to be present if `id` is not present, or if `rawId` equals `id`.
+
+
 == Version 1.7.0 ==
 
 webauthn-server-attestation:
 
@@ -25,17 +25,43 @@ Maven:
 <dependency>
   <groupId>com.yubico</groupId>
   <artifactId>webauthn-server-core</artifactId>
-  <version>1.6.1</version>
+  <version>1.8.0</version>
   <scope>compile</scope>
 </dependency>
 ----------
 
 Gradle:
 
 ----------
-compile 'com.yubico:webauthn-server-core:1.6.1'
+compile 'com.yubico:webauthn-server-core:1.8.0'
 ----------
 
+=== Semantic versioning
+
+This library uses link:https://semver.org/[semantic versioning].
+The public API consists of all public classes, methods and fields in the `com.yubico.webauthn` package and its subpackages,
+i.e., everything covered by the
+link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/latest/com/yubico/webauthn/package-summary.html[Javadoc].
+
+Package-private classes and methods are NOT part of the public API.
+The `com.yubico:yubico-util` module is NOT part of the public API.
+Breaking changes to these will NOT be reflected in version numbers.
+
+
+=== Additional modules
+
+In addition to the main `webauthn-server-core` module, there are also:
+
+- `webauthn-server-attestation`: A simple implementation of the
+  link:https://developers.yubico.com/java-webauthn-server/JavaDoc/webauthn-server-core/latest/com/yubico/webauthn/attestation/MetadataService.html[`MetadataService`]
+  interface, which by default comes preloaded with attestation metadata for Yubico devices.
+
+- `webauthn-server-core-minimal`: Alternative distribution of `webauthn-server-core`,
+  without a dependency on BouncyCastle.
+  If depending on this module instead of `webauthn-server-core`,
+  you may have to add your own JCA providers to support some signature algorithms.
+  In particular, OpenJDK 14 and earlier does not include providers for the EdDSA family of algorithms.
+
 
 == Features
 
 
@@ -7,8 +7,8 @@ buildscript {
   }
 }
 plugins {
-  id 'com.github.kt3k.coveralls' version '2.10.2'
-  id 'io.codearte.nexus-staging' version '0.22.0'
+  id 'com.github.kt3k.coveralls' version '2.11.0'
+  id 'io.codearte.nexus-staging' version '0.30.0'
   id 'io.franzbecker.gradle-lombok' version '4.0.0'
 }
 
@@ -30,7 +30,7 @@ if (publishEnabled) {
 }
 
 wrapper {
-  gradleVersion = '6.1'
+  gradleVersion = '6.8'
 }
 
 allprojects {
@@ -80,8 +80,8 @@ subprojects {
   apply plugin: LombokPlugin
 
   lombok {
-    version '1.18.10'
-    sha256 = '2836e954823bfcbad45e78c18896e3d01058e6f643749810c608b7005ee7b2fa'
+    version '1.18.18'
+    sha256 = '601ec46206e0f9cac2c0583b3350e79f095419c395e991c761640f929038e9cc'
   }
   tasks.withType(AbstractCompile) {
     if (tasks.findByName('verifyLombok')) {
@@ -175,11 +175,14 @@ subprojects { project ->
       from javadoc
     }
 
-    rootProject.tasks.assembleJavadoc {
-      dependsOn javadoc
-      inputs.dir javadoc.destinationDir
-      from(javadoc.destinationDir) {
-        into project.name
+    // TODO: Revert this if statement in the next major release
+    if (project.projectDir.name != "webauthn-server-core-bundle") {
+      rootProject.tasks.assembleJavadoc {
+        dependsOn javadoc
+        inputs.dir javadoc.destinationDir
+        from(javadoc.destinationDir) {
+          into project.projectDir.name
+        }
       }
     }
   }
 
@@ -7,6 +7,6 @@ repositories {
 dependencies {
   implementation(
     'commons-io:commons-io:2.5',
-    'info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.4.6',
+    'info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.5.1',
   )
 }
@@ -0,0 +1,16 @@
+Developer docs
+===
+
+Inconsistent directory naming
+---
+
+In resolving [issue #97](https://github.com/Yubico/java-webauthn-server/issues/97),
+we opted to split the `webauthn-server-core` module into one `webauthn-server-core` meta-module
+and one `webauthn-server-core-minimal` module with the code and all dependencies except BouncyCastle.
+However, to avoid file renames and since this is intended as a temporary change,
+the source code for the `webauthn-server-core` module is hosted in the `webauthn-server-core-bundle/` subproject
+and the `webauthn-server-core-minimal` module is hosted in `webauthn-server-core/`.
+
+We intend to eliminate the `webauthn-server-core-bundle` subproject in the next major version release,
+and return the current `webauthn-server-core-minimal` module to the `webauthn-server-core` module name.
+This naming inconsistency should be fixed along with this.
@@ -85,46 +85,48 @@ Release versions
 
  4. Remove the "(unreleased)" tag from `NEWS`.
 
- 5. Amend this change into the merge commit:
+ 5. Update the version in the dependency snippets in the README.
+
+ 6. Amend these changes into the merge commit:
 
     ```
     $ git add NEWS
     $ git commit --amend --reset-author
     ```
 
- 6. Run the tests one more time:
+ 7. Run the tests one more time:
 
     ```
     $ ./gradlew clean check
     ```
 
- 7. Tag the merge commit with an `X.Y.Z` tag:
+ 8. Tag the merge commit with an `X.Y.Z` tag:
 
     ```
     $ git tag -a -s 1.4.0 -m "Release 1.4.0"
     ```
 
     No tag body needed since that's included in the commit.
 
- 8. Publish to Sonatype Nexus:
+ 9. Publish to Sonatype Nexus:
 
     ```
     $ ./gradlew publish closeAndReleaseRepository
     ```
 
- 9. Wait for the artifacts to become downloadable at
+10. Wait for the artifacts to become downloadable at
     https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/1.4.0/ . This
     is needed for one of the GitHub Actions release workflows and usually takes
     less than 30 minutes (long before the artifacts become searchable on the
     main Maven Central website).
 
-10. Push to GitHub:
+11. Push to GitHub:
 
     ```
     $ git push origin master 1.4.0
     ```
 
-11. Make GitHub release.
+12. Make GitHub release.
 
     - Use the new tag as the release tag
     - Copy the release notes from `NEWS` into the GitHub release notes; reformat
Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,8 @@ buildscript {`
`7`	`7`	`}`
`8`	`8`	`}`
`9`	`9`	`plugins {`
`10`		`- id 'com.github.kt3k.coveralls' version '2.10.2'`
`11`		`- id 'io.codearte.nexus-staging' version '0.22.0'`
	`10`	`+ id 'com.github.kt3k.coveralls' version '2.11.0'`
	`11`	`+ id 'io.codearte.nexus-staging' version '0.30.0'`
`12`	`12`	`id 'io.franzbecker.gradle-lombok' version '4.0.0'`
`13`	`13`	`}`
`14`	`14`
`@@ -30,7 +30,7 @@ if (publishEnabled) {`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`wrapper {`
`33`		`- gradleVersion = '6.1'`
	`33`	`+ gradleVersion = '6.8'`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`allprojects {`
`@@ -80,8 +80,8 @@ subprojects {`
`80`	`80`	`apply plugin: LombokPlugin`
`81`	`81`
`82`	`82`	`lombok {`
`83`		`- version '1.18.10'`
`84`		`- sha256 = '2836e954823bfcbad45e78c18896e3d01058e6f643749810c608b7005ee7b2fa'`
	`83`	`+ version '1.18.18'`
	`84`	`+ sha256 = '601ec46206e0f9cac2c0583b3350e79f095419c395e991c761640f929038e9cc'`
`85`	`85`	`}`
`86`	`86`	`tasks.withType(AbstractCompile) {`
`87`	`87`	`if (tasks.findByName('verifyLombok')) {`
`@@ -175,11 +175,14 @@ subprojects { project ->`
`175`	`175`	`from javadoc`
`176`	`176`	`}`
`177`	`177`
`178`		`- rootProject.tasks.assembleJavadoc {`
`179`		`- dependsOn javadoc`
`180`		`- inputs.dir javadoc.destinationDir`
`181`		`- from(javadoc.destinationDir) {`
`182`		`- into project.name`
	`178`	`+ // TODO: Revert this if statement in the next major release`
	`179`	`+ if (project.projectDir.name != "webauthn-server-core-bundle") {`
	`180`	`+ rootProject.tasks.assembleJavadoc {`
	`181`	`+ dependsOn javadoc`
	`182`	`+ inputs.dir javadoc.destinationDir`
	`183`	`+ from(javadoc.destinationDir) {`
	`184`	`+ into project.projectDir.name`
	`185`	`+ }`
`183`	`186`	`}`
`184`	`187`	`}`
`185`	`188`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,6 @@ repositories {`
`7`	`7`	`dependencies {`
`8`	`8`	`implementation(`
`9`	`9`	`'commons-io:commons-io:2.5',`
`10`		`- 'info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.4.6',`
	`10`	`+ 'info.solidsoft.gradle.pitest:gradle-pitest-plugin:1.5.1',`
`11`	`11`	`)`
`12`	`12`	`}`