Update dependencies due to CVEs

[mjechow]

Some of the used dependencies are getting a bit old and security issues are found.

When I try to run the tests from master I am getting 4 fails:
xades4j.production.OtherSignerTests#testSignatureAlgorithms
xades4j.production.OtherSignerTests#testSignWithManifest
xades4j.verification.OtherVerifierTests#testVerifyWithManifest
xades4j.verification.XadesVerifierImplTest#testVerifyBESExtrnlResEnrichC

After the dependency upgrade the exact same tests fail. So I am pretty sure the upgrade would work.

[luisgoncalves]

Can you rebase? The failure in XadesVerifierImplTest should be fixed.

I don't get the other failures in master. I'm running on macOS. Can you share the errors, please?

[mjechow]

Unfortunately I merge the branch instead of rebasing first. I can open a new PR if you wish.

For the test errors: I am using windows, but I could try Linux as well.

testSignWithManifest

xades4j.XAdES4jXMLSigException: Error digesting manifest at xades4j.production.SignerBES.digestManifests(SignerBES.java:354) at xades4j.production.SignerBES.sign(SignerBES.java:215) at xades4j.production.SignerBES.sign(SignerBES.java:124) at xades4j.production.OtherSignerTests.testSignWithManifest(OtherSignerTests.java:88) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306) at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63) at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329) at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293) at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306) at org.junit.runners.ParentRunner.run(ParentRunner.java:413) at org.junit.runners.Suite.runChild(Suite.java:128) at org.junit.runners.Suite.runChild(Suite.java:27) at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329) at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293) at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306) at org.junit.runners.ParentRunner.run(ParentRunner.java:413) at org.junit.runner.JUnitCore.run(JUnitCore.java:137) at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69) at com.intellij.rt.junit.IdeaTestRunner$Repeater$1.execute(IdeaTestRunner.java:38) at com.intellij.rt.execution.junit.TestsRepeater.repeat(TestsRepeater.java:11) at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:35) at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:232) at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:55) Caused by: org.apache.xml.security.signature.ReferenceNotInitializedException: Could not find a resolver for URI logo-01.png and Base http://luisgoncalves.github.io/xades4j/images/ Original Exception was org.apache.xml.security.utils.resolver.ResourceResolverException: Could not find a resolver for URI logo-01.png and Base http://luisgoncalves.github.io/xades4j/images/ at org.apache.xml.security.signature.Reference.getContentsBeforeTransformation(Reference.java:438) at org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:694) at org.apache.xml.security.signature.Reference.generateDigestValue(Reference.java:417) at org.apache.xml.security.signature.Manifest.generateDigestValues(Manifest.java:209) at xades4j.production.SignerBES.digestManifests(SignerBES.java:350) ... 39 more Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Could not find a resolver for URI logo-01.png and Base http://luisgoncalves.github.io/xades4j/images/ at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:161) at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:193) at org.apache.xml.security.signature.Reference.getContentsBeforeTransformation(Reference.java:436) ... 43 more

testVerifyWithManifest

xades4j.XAdES4jXMLSigException: Error verifying the signature at xades4j.verification.XadesVerifierImpl.doCoreVerification(XadesVerifierImpl.java:333) at xades4j.verification.XadesVerifierImpl.verify(XadesVerifierImpl.java:214) at xades4j.verification.VerifierTestBase.verifySignature(VerifierTestBase.java:118) at xades4j.verification.OtherVerifierTests.testVerifyWithManifest(OtherVerifierTests.java:94) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26) at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306) at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63) at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329) at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293) at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306) at org.junit.runners.ParentRunner.run(ParentRunner.java:413) at org.junit.runners.Suite.runChild(Suite.java:128) at org.junit.runners.Suite.runChild(Suite.java:27) at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329) at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293) at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306) at org.junit.runners.ParentRunner.run(ParentRunner.java:413) at org.junit.runner.JUnitCore.run(JUnitCore.java:137) at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69) at com.intellij.rt.junit.IdeaTestRunner$Repeater$1.execute(IdeaTestRunner.java:38) at com.intellij.rt.execution.junit.TestsRepeater.repeat(TestsRepeater.java:11) at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:35) at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:232) at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:55) Caused by: org.apache.xml.security.signature.MissingResourceFailureException: The Reference for URI logo-01.png has no XMLSignatureInput Original Exception was org.apache.xml.security.signature.ReferenceNotInitializedException: Could not find a resolver for URI logo-01.png and Base http://luisgoncalves.github.io/xades4j/images/#xmldsig-2b8aa881-89e3-4101-8c66-e26fcb7145be-manifest0 Original Exception was org.apache.xml.security.utils.resolver.ResourceResolverException: Could not find a resolver for URI logo-01.png and Base http://luisgoncalves.github.io/xades4j/images/#xmldsig-2b8aa881-89e3-4101-8c66-e26fcb7145be-manifest0 at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:406) at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:384) at org.apache.xml.security.signature.SignedInfo.verify(SignedInfo.java:286) at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:895) at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:832) at xades4j.verification.XadesVerifierImpl.doCoreVerification(XadesVerifierImpl.java:326) ... 40 more Caused by: org.apache.xml.security.signature.ReferenceNotInitializedException: Could not find a resolver for URI logo-01.png and Base http://luisgoncalves.github.io/xades4j/images/#xmldsig-2b8aa881-89e3-4101-8c66-e26fcb7145be-manifest0 Original Exception was org.apache.xml.security.utils.resolver.ResourceResolverException: Could not find a resolver for URI logo-01.png and Base http://luisgoncalves.github.io/xades4j/images/#xmldsig-2b8aa881-89e3-4101-8c66-e26fcb7145be-manifest0 at org.apache.xml.security.signature.Reference.getContentsBeforeTransformation(Reference.java:438) at org.apache.xml.security.signature.Reference.calculateDigest(Reference.java:694) at org.apache.xml.security.signature.Reference.verify(Reference.java:788) at org.apache.xml.security.signature.Manifest.verifyReferences(Manifest.java:336) ... 45 more Caused by: org.apache.xml.security.utils.resolver.ResourceResolverException: Could not find a resolver for URI logo-01.png and Base http://luisgoncalves.github.io/xades4j/images/#xmldsig-2b8aa881-89e3-4101-8c66-e26fcb7145be-manifest0 at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:161) at org.apache.xml.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:193) at org.apache.xml.security.signature.Reference.getContentsBeforeTransformation(Reference.java:436) ... 48 more

testSignatureAlgorithms

`xades4j.production.PropertyDataGeneratorNotAvailableException: Property data generation failed for SignatureTimeStamp: data object generator cannot be created
at xades4j.production.PropertyDataGeneratorsMapperImpl.getGenerator(PropertyDataGeneratorsMapperImpl.java:51)
at xades4j.production.PropertiesDataObjectsGeneratorImpl.doGenPropsData(PropertiesDataObjectsGeneratorImpl.java:85)
at xades4j.production.PropertiesDataObjectsGeneratorImpl.genPropsData(PropertiesDataObjectsGeneratorImpl.java:73)
at xades4j.production.PropertiesDataObjectsGeneratorImpl.generateUnsignedPropertiesData(PropertiesDataObjectsGeneratorImpl.java:64)
at xades4j.production.SignerBES.sign(SignerBES.java:286)
at xades4j.production.SignerBES.sign(SignerBES.java:124)
at xades4j.production.Enveloped.sign(Enveloped.java:68)
at xades4j.production.OtherSignerTests.testSignatureAlgorithms(OtherSignerTests.java:143)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:59)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:56)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:63)
at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
at org.junit.runners.Suite.runChild(Suite.java:128)
at org.junit.runners.Suite.runChild(Suite.java:27)
at org.junit.runners.ParentRunner$4.run(ParentRunner.java:331)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:79)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:329)
at org.junit.runners.ParentRunner.access$100(ParentRunner.java:66)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:293)
at org.junit.runners.ParentRunner$3.evaluate(ParentRunner.java:306)
at org.junit.runners.ParentRunner.run(ParentRunner.java:413)
at org.junit.runner.JUnitCore.run(JUnitCore.java:137)
at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69)
at com.intellij.rt.junit.IdeaTestRunner$Repeater$1.execute(IdeaTestRunner.java:38)
at com.intellij.rt.execution.junit.TestsRepeater.repeat(TestsRepeater.java:11)
at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:35)
at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:232)
at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:55)
Caused by: com.google.inject.ProvisionException: Unable to provision, see the following errors:

1. [Guice/ErrorInCustomProvider]: IllegalStateException: HttpTsaConfiguration must be configured in the profile in order to use an HTTP-based time-stamp token provider.
   at DefaultProductionBindingsModule.configure(DefaultProductionBindingsModule.java:80)
   _ installed by: Modules$OverrideModule -> DefaultProductionBindingsModule
   at HttpTimeStampTokenProvider.(HttpTimeStampTokenProvider.java:44)
   _ for 2nd parameter
   while locating HttpTimeStampTokenProvider
   at DataGenSigTimeStamp.(DataGenSigTimeStamp.java:45)
   _ for 1st parameter
   while locating DataGenSigTimeStamp
   while locating PropertyDataObjectGenerator
   Learn more:
   https://github.com/google/guice/wiki/ERROR_IN_CUSTOM_PROVIDER
   1 error
   ======================
   Full classname legend:
   ======================
   DataGenSigTimeStamp: "xades4j.production.DataGenSigTimeStamp"
   DefaultProductionBindingsModule: "xades4j.production.DefaultProductionBindingsModule"
   HttpTimeStampTokenProvider: "xades4j.providers.impl.HttpTimeStampTokenProvider"
   Modules$OverrideModule: "com.google.inject.util.Modules$OverrideModule"
   PropertyDataObjectGenerator: "xades4j.production.PropertyDataObjectGenerator"
   SignatureTimeStampProperty: "xades4j.properties.SignatureTimeStampProperty"
   ========================
   End of classname legend:
   ========================
   at com.google.inject.internal.InternalProvisionException.toProvisionException(InternalProvisionException.java:251)
   at com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1104)
   at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1134)
   at xades4j.production.PropertyDataGeneratorsMapperImpl.getGenerator(PropertyDataGeneratorsMapperImpl.java:48)
   ... 43 more
   Caused by: java.lang.IllegalStateException: HttpTsaConfiguration must be configured in the profile in order to use an HTTP-based time-stamp token provider.
   at xades4j.production.DefaultProductionBindingsModule.lambda$configure$0(DefaultProductionBindingsModule.java:81)
   at com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:86)
   at com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:57)
   at com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:60)
   at com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:47)
   at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:40)
   at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:60)
   at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:113)
   at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
   at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:300)
   at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:60)
   at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:40)
   at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:60)
   at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:113)
   at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
   at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:300)
   at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:60)
   at com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1101)
   ... 45 more`

[luisgoncalves]

I've been running tests from the CLI using mvn test and just realized that the version of the Surefire plugin being used did not pick up some tests files! (ending in *Tests). I got the same failures now.

I couldn't find release notes for Santuario 3.0, which would be good to double-check. But I think we can go forward with this. I'll fix the failing tests later.

Thanks!

[mjechow]

Thanks, a lot!

[mjechow]

is there a schedule when a new release can be expected?

[luisgoncalves]

Not really. But since nothing else came up, I'll release a revision version with these upgrades.

I'll do it early next week.

[luisgoncalves]

The new version is released. May take a while to show up on central.

[mjechow]

Thank you very much. I am releasing my lib now as well. ;-)