Closed iaik-jheher closed 1 year ago
That's strange, because that is a transitive dependency from the internal yubico-util
module, but that does declare a runtime dependency on jackson-dataformat-cbor
. Your dependency resolution tool should be able to resolve this. How are you building the project where you encounter this issue?
I tried to reproduce the issue by adding an integration test to the test-dependent-projects/java-dep-webauthn-server-attestation
subproject, which declares a dependency on only webauthn-server-attestation
. This subproject is meant to simulate a downstream dependent project, but I do not encounter the issue. I've pushed the change on branch issue-272-cbor-dependency; you can run the test by running ./gradlew :test-dependent-projects:java-dep-webauthn-server-attestation:check
. You can also dump a dependency report by running ./gradlew :test-dependent-projects:java-dep-webauthn-server-attestation:dependencies
, where you should see jackson-dataformat-cbor
among the transitive dependencies.
I am building using Maven.
Upon review, I am noticing the following output in debug logs:
[WARNING] The POM for com.yubico:yubico-util:jar:2.4.1-RC1 is invalid, transitive dependencies (if any) will not be available: 3 problems were encountered while building the effective model for com.yubico:yubico-util:2.4.1-RC1
[ERROR] 'dependencies.dependency.version' for com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar is missing. @
[ERROR] 'dependencies.dependency.version' for com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar is missing. @
[ERROR] 'dependencies.dependency.version' for com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar is missing. @
This sounds like it would be related to this issue. (Apologies for missing the output when initially filing the issue.)
Oh, interesting. Does this issue also appear with version 2.4.0
? (You might encounter different issues instead, though).
No, the issue does not appear to occur in 2.4.0
.
I see. This is likely related to this change, then. I'll investigate if we're importing the Jackson BOM incorrectly.
Pre-release 2.4.1-RC2
is now available on Maven Central. Could you test to see if the issue persists with that version?
The issue still occurs on 2.4.1-RC2
.
[WARNING] The POM for com.yubico:webauthn-server-core:jar:2.4.1-RC2 is invalid, transitive dependencies (if any) will not be available: 2 problems were encountered while building the effective model for com.yubico:webauthn-server-core:2.4.1-RC2
[ERROR] 'dependencyManagement.dependencies.dependency.version' for com.fasterxml.jackson:jackson-bom:pom is missing. @
[ERROR] 'dependencies.dependency.version' for com.fasterxml.jackson.core:jackson-databind:jar is missing. @
[WARNING] The POM for com.yubico:webauthn-server-attestation:jar:2.4.1-RC2 is invalid, transitive dependencies (if any) will not be available: 2 problems were encountered while building the effective model for com.yubico:webauthn-server-attestation:2.4.1-RC2
[ERROR] 'dependencyManagement.dependencies.dependency.version' for com.fasterxml.jackson:jackson-bom:pom is missing. @
[ERROR] 'dependencies.dependency.version' for com.fasterxml.jackson.core:jackson-databind:jar is missing. @
Ok, how about 2.4.1-RC3
? Thank you for your patience!
Still fails, though with a new error:
org.eclipse.aether.collection.DependencyCollectionException: Failed to collect dependencies at com.yubico:webauthn-server-core:jar:2.4.1-RC3
Caused by: org.eclipse.aether.resolution.ArtifactDescriptorException: Failed to read artifact descriptor for com.yubico:webauthn-server-core:jar:2.4.1-RC3
Caused by: org.apache.maven.model.resolution.UnresolvableModelException: Could not find artifact com.fasterxml.jackson:jackson-bom:pom:[2.13.2.1,3) in maven-central (https://repo.maven.apache.org/maven2/)
Ok, in 2.4.1-RC4
I've restored the related settings to essentially what they were in 2.4.0
. Please take one more look!
2.4.1-RC4
parses correctly, and includes the necessary dependencies. Thanks for the fix!
Great, thanks for confirming! I'll go ahead and promote that to the proper 2.4.1
release later today.
Release 2.4.1 is available now on Maven Central. Thanks again!
FidoMetadataDownloader
appears to have an undocumented dependency oncom.fasterxml.jackson.dataformat.cbor.CBORFactory
, found in thejackson-dataformat-cbor
artifact.If one only adds the
webauthn-server-core
andwebauthn-server-attestation
dependency entries topom.xml
, uses ofFidoMetadataDownloader
will throwNoClassDefFoundError
when downloading a certblob:Adding an explicit dependency on
jackson-dataformat-cbor
serves as a workaround:I am using
openjdk 17.0.3 2022-04-19
andwebauthn-server-attestation-2.4.1-RC1
.