Latest / recent versions not pushing to Maven

[maxkohne]

Right now, this lib is automatically updated on this repo with updated log list dates. However, the last version to successfully get pushed to Maven is v2.5.6. Every subsequent update isn't passing CI (https://github.com/appmattus/certificatetransparency/actions).

According to your comment here, after 70 days, CT is disabled. Since we cannot get the latest versions, everyone will be hitting this 70 day window since we cannot update the library.

Caching has been re-implemented and made a lot more robust. For example the library now embeds a hard coded log list so it always has a fallback. The implementation is closer to how Chrome works, if the library cannot update the log list for 70 days then the best it can do is disable the CT checks. The plan is for more regular updates of the library to keep the embedded log list in sync so as long as apps keep the library up to date that 70 days will keep on rolling - a disk cache being used also extends that 70 days too. The new implementation additionally reduces the risk of replay attacks.

[eric-klukovich]

@mattmook not sure if you are aware of this issue, but the version on maven is very out of date compared to Github. Looks like CI is experiencing the error below. Could we get some eyes on this?

Dependency-Analyze Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS score greater than '0.0': CVE-2023-3635
See the dependency-check report for more details.

[mattmook]

Looking to address this shortly. OkHttp has a new vulnerability against it so the build is failing. I was originally waiting to see if OkHttp would release an update - but alas not.

[mattmook]

Regarding the 70 day window - this only matters if you cannot retrieve an up-to-date log list, i.e the 70 days is from the time of the last cached log list.

[eric-klukovich]

@mattmook - terrific! Thank you for looking into this!