ewert-technologies / notarytool-kotlin Goto Github PK

Currently, when there is an authentication error, the message is: Notary API Web Service could not authenticate the request.

It would be better if there were a suggested course of action, as well, e.g.: Notary API Web Service could not authenticate the request. Please check that the issuer id, private key, and key identifier are correct.

It seems like logback 1.5.x is compiled using Java 21 (qos-ch/logback#802), and can cause some build problems when using older versions of Gradle (similar to FasterXML/jackson-core#955)

One option is to require users to use newer versions of Gradle (Gradle 8.5 and up seems to work), or downgrade to an older version of logback.

For better compatibility, for now, we should downgrade logback. Note: logback version must be 1.4.14 or higher, to make sure it has the CVE fix (See issue #4).

We can look at moving to version 1.5.x for a later release.

It would be great, if NotaryToolClient accepted a Supplier<ECKey> or similar in addition to the key file location. This way the sensitive key data could be kept in secure storage like a KeyStore or similar instead of in a regular file.

Security report: https://sbom.sonatype.com/report/T1-118f0f57da8c6b3097cc-2b6c6abed8132-1699912808-f201232d37f24cb38a4aa702d04b4c83

1 vulnerability found in io.netty [email protected]

https://ossindex.sonatype.org/vulnerability/CVE-2023-4586?component-type=maven&component-name=io.netty%2Fnetty-handler&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0

netty-handler is used by awssdk

Starting with v2 the kotlin-result library models its Result type as an inline value class, in order to reduce overhead,

see: https://github.com/michaelbull/kotlin-result
and: https://github.com/michaelbull/kotlin-result/wiki/Overhead

This update, however, makes some breaking changes to API.

We should update our library to be able to use this new version.

mvnrepository is reporting a security vulnerability: CVE-2023-6378

See: https://mvnrepository.com/artifact/ca.ewert-technologies.notarytoolkotlin/notarytool-kotlin/0.1.0
and: https://www.cve.org/CVERecord?id=CVE-2023-6378

This seems like it has been fixed in logback-classic 1.4.12: https://mvnrepository.com/artifact/ch.qos.logback/logback-classic

logback-classic should be updated.