From b036b86e09687914a68dde3b3572801f757b5492 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 19 May 2026 15:23:55 +0200 Subject: [PATCH 1/2] Bump maxDiscardedFactor in RelyingParty[V2]AssertionSpec We had a "Gave up after 9 successful property evaluations" failure on GitHub actions, so a factor 20 seems to be _just_ a bit too restrictive. Why discard property evaluations here? The purpose of these tests are to verify that whenever `finishAssertion` succeeds, the `AssertionResult` is internally consistent and consistent with the request `username` and `userHandle` (if any). For that sake, it is relevant to have the generators be more generous with generating combinations that _shouldn't_ succeed `finishAssertion` but do anyway, such as the edge case that was the cause of YSA-2026-02. --- .../scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala | 2 +- .../scala/com/yubico/webauthn/RelyingPartyV2AssertionSpec.scala | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala index 29d7c7396..995308afc 100644 --- a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala +++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyAssertionSpec.scala @@ -1168,7 +1168,7 @@ class RelyingPartyAssertionSpec genCredentialIdAndAllowCredentials, genUsernameOrUserHandle, genUserHandle, - maxDiscardedFactor(20), // This helps the `whenever` clause below not make the test flaky + maxDiscardedFactor(30), // This helps the `whenever` clause below not make the test flaky ) { case ( (credentialId, allowCredentials), diff --git a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyV2AssertionSpec.scala b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyV2AssertionSpec.scala index 5c056b0cc..0b9d5df91 100644 --- a/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyV2AssertionSpec.scala +++ b/webauthn-server-core/src/test/scala/com/yubico/webauthn/RelyingPartyV2AssertionSpec.scala @@ -1159,7 +1159,7 @@ class RelyingPartyV2AssertionSpec genCredentialIdAndAllowCredentials, genUserIdentifiers, genUserHandle, - maxDiscardedFactor(20), // This helps the `whenever` clause below not make the test flaky + maxDiscardedFactor(30), // This helps the `whenever` clause below not make the test flaky ) { case ( (credentialId, allowCredentials), From 6fbc56e1e14152ad32fe75c1ca66df4128bf75d6 Mon Sep 17 00:00:00 2001 From: Emil Lundberg Date: Tue, 5 Mar 2024 08:52:00 +0100 Subject: [PATCH 2/2] Drop slf4j-test from webauthn-server-attestation test dependencies This prevents the unit test XML reports from containing large stdout logs which are not used for anything but crash the default settings of EnricoMi/publish-unit-test-result-action@v2 . This was originally done in commit cdf95131266e9d89bed3df9c52644b06306e1cea and then undone for no apparent reason in efa4b009d88c3788fa19acdae407a816aeb6746a. The tests added in efa4b009d88c3788fa19acdae407a816aeb6746a do not use any of the features of `slf4j-test`; it appears the dependency was re-added solely for capturing log output. --- webauthn-server-attestation/build.gradle.kts | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/webauthn-server-attestation/build.gradle.kts b/webauthn-server-attestation/build.gradle.kts index 94f5a34a4..80e8de8bd 100644 --- a/webauthn-server-attestation/build.gradle.kts +++ b/webauthn-server-attestation/build.gradle.kts @@ -45,13 +45,7 @@ dependencies { testImplementation("org.scalatest:scalatest_2.13") testImplementation("org.scalatestplus:junit-4-13_2.13") testImplementation("org.scalatestplus:scalacheck-1-16_2.13") - - testImplementation("org.slf4j:slf4j-api") { - version { - strictly("[1.7.25,1.8-a)") // Pre-1.8 version required by slf4j-test - } - } - testRuntimeOnly("uk.org.lidalia:slf4j-test") + testImplementation("org.slf4j:slf4j-api") } val integrationTest = task("integrationTest") {