Csm merge from main

CONTRIBUTING.md

@@ -11,6 +11,8 @@ Here is a (non-exclusive, non-prioritized) list of things you might be able to h
 * features (both ideas and code are welcome)
 * test cases
 
+There are a couple of [enhancement issues](https://github.com/eclipse-californium/californium/issues?q=is%3Aissue+label%3Ahibernate), which have been closed for longer inactivity. Maybe, if you like to help and spend some time, you will be welcome.
+
 In order to get you started as fast as possible we need to go through some organizational issues first, though.
 
 ## Eclipse Contributor Agreement

DEPENDENCIES

@@ -1,32 +1,33 @@
 maven/mavencentral/com.github.peteroupc/numbers/1.8.2, CC0-1.0, approved, clearlydefined
-maven/mavencentral/com.google.code.gson/gson/2.8.8, Apache-2.0, approved, CQ23496
+maven/mavencentral/com.google.code.gson/gson/2.10, Apache-2.0, approved, #6159
 maven/mavencentral/com.google.errorprone/error_prone_annotations/2.3.4, Apache-2.0, approved, #807
 maven/mavencentral/com.google.guava/failureaccess/1.0.1, Apache-2.0, approved, CQ22654
-maven/mavencentral/com.google.guava/guava/30.0-android, Apache-2.0, approved, clearlydefined
-maven/mavencentral/com.google.guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava, LicenseRef-NONE, approved, #803
+maven/mavencentral/com.google.guava/guava/30.1-android, Apache-2.0 AND CC0-1.0 AND LicenseRef-Public-Domain, approved, CQ23244
+maven/mavencentral/com.google.guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava, Apache-2.0, approved, CQ22657
 maven/mavencentral/com.google.j2objc/j2objc-annotations/1.3, Apache-2.0, approved, CQ21195
 maven/mavencentral/com.upokecenter/cbor/4.5.2, CC0-1.0, approved, clearlydefined
-maven/mavencentral/info.picocli/picocli/4.6.2, Apache-2.0, approved, clearlydefined
-maven/mavencentral/io.netty/netty-buffer/4.1.76.Final, Apache-2.0, approved, CQ21842
-maven/mavencentral/io.netty/netty-codec/4.1.76.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926
-maven/mavencentral/io.netty/netty-common/4.1.76.Final, Apache-2.0 AND MIT AND CC0-1.0, approved, CQ21843
-maven/mavencentral/io.netty/netty-handler/4.1.76.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926
-maven/mavencentral/io.netty/netty-resolver/4.1.76.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926
-maven/mavencentral/io.netty/netty-transport/4.1.76.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926
-maven/mavencentral/org.apache.httpcomponents.client5/httpclient5/5.1, Apache-2.0 AND MIT, approved, #255
-maven/mavencentral/org.apache.httpcomponents.core5/httpcore5-h2/5.1.1, Apache-2.0, approved, clearlydefined
-maven/mavencentral/org.apache.httpcomponents.core5/httpcore5/5.1.1, Apache-2.0, approved, clearlydefined
+maven/mavencentral/info.picocli/picocli/4.7.0, Apache-2.0, approved, #4365
+maven/mavencentral/io.netty/netty-buffer/4.1.87.Final, Apache-2.0, approved, CQ21842
+maven/mavencentral/io.netty/netty-codec/4.1.87.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926
+maven/mavencentral/io.netty/netty-common/4.1.87.Final, Apache-2.0 AND MIT AND CC0-1.0, approved, CQ21843
+maven/mavencentral/io.netty/netty-handler/4.1.87.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926
+maven/mavencentral/io.netty/netty-resolver/4.1.87.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926
+maven/mavencentral/io.netty/netty-transport-native-unix-common/4.1.87.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926
+maven/mavencentral/io.netty/netty-transport/4.1.87.Final, Apache-2.0 AND BSD-3-Clause AND MIT, approved, CQ20926
+maven/mavencentral/org.apache.httpcomponents.client5/httpclient5/5.1.3, Apache-2.0, approved, #6276
+maven/mavencentral/org.apache.httpcomponents.core5/httpcore5-h2/5.1.3, Apache-2.0, approved, clearlydefined
+maven/mavencentral/org.apache.httpcomponents.core5/httpcore5/5.1.3, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.checkerframework/checker-compat-qual/2.5.5, MIT, approved, clearlydefined
-maven/mavencentral/org.eclipse.californium/californium-core/3.5.0-SNAPSHOT, , approved, science.californium
-maven/mavencentral/org.eclipse.californium/californium-proxy2/3.5.0-SNAPSHOT, , approved, science.californium
-maven/mavencentral/org.eclipse.californium/cf-cli/3.5.0-SNAPSHOT, , approved, science.californium
-maven/mavencentral/org.eclipse.californium/cf-cluster/3.5.0-SNAPSHOT, , approved, science.californium
-maven/mavencentral/org.eclipse.californium/cf-oscore/3.5.0-SNAPSHOT, , approved, science.californium
-maven/mavencentral/org.eclipse.californium/cf-plugtest-server/3.5.0-SNAPSHOT, , approved, science.californium
-maven/mavencentral/org.eclipse.californium/cf-unix-health/3.5.0-SNAPSHOT, , approved, science.californium
-maven/mavencentral/org.eclipse.californium/element-connector-tcp-netty/3.5.0-SNAPSHOT, , approved, science.californium
-maven/mavencentral/org.eclipse.californium/element-connector/3.5.0-SNAPSHOT, , approved, science.californium
-maven/mavencentral/org.eclipse.californium/scandium/3.5.0-SNAPSHOT, , approved, science.californium
+maven/mavencentral/org.eclipse.californium/californium-core/3.8.0-SNAPSHOT, , approved, science.californium
+maven/mavencentral/org.eclipse.californium/californium-proxy2/3.8.0-SNAPSHOT, , approved, science.californium
+maven/mavencentral/org.eclipse.californium/cf-cli/3.8.0-SNAPSHOT, , approved, science.californium
+maven/mavencentral/org.eclipse.californium/cf-cluster/3.8.0-SNAPSHOT, , approved, science.californium
+maven/mavencentral/org.eclipse.californium/cf-oscore/3.8.0-SNAPSHOT, , approved, science.californium
+maven/mavencentral/org.eclipse.californium/cf-plugtest-server/3.8.0-SNAPSHOT, , approved, science.californium
+maven/mavencentral/org.eclipse.californium/cf-unix-health/3.8.0-SNAPSHOT, , approved, science.californium
+maven/mavencentral/org.eclipse.californium/element-connector-tcp-netty/3.8.0-SNAPSHOT, , approved, science.californium
+maven/mavencentral/org.eclipse.californium/element-connector/3.8.0-SNAPSHOT, , approved, science.californium
+maven/mavencentral/org.eclipse.californium/scandium/3.8.0-SNAPSHOT, , approved, science.californium
 maven/mavencentral/org.osgi/org.osgi.compendium/5.0.0, Apache-2.0, approved, CQ9373
 maven/mavencentral/org.osgi/org.osgi.core/5.0.0, Apache-2.0, approved, CQ5932
 maven/mavencentral/org.slf4j/slf4j-api/1.7.36, MIT, approved, CQ13368

README.md

@@ -8,6 +8,8 @@ More information can be found at
 [http://www.eclipse.org/californium/](http://www.eclipse.org/californium/)
 and [http://coap.technology/](http://coap.technology/).
 
+Like to help improving Californium? Then consider to [contribute](#contributing).
+
 # Build using Maven
 
 You need to have a working maven installation to build Californium.
@@ -19,7 +21,7 @@ $ mvn clean install
 
 Executable JARs of the examples with all dependencies can be found in the `demo-apps/run` folder.
 
-The build-process in branch `main` is tested for jdk 7, jdk 8, jdk 11, jdk 15, jdk 16 and jdk 17. 
+The build-process in branch `main` is tested for jdk 7, jdk 8, jdk 11 and jdk 17. 
 For jdk 7 the revapi maven-plugin is disabled, it requires at least java 8.
 
 To generate the javadocs, add "-DcreateJavadoc=true" to the command line and set the `JAVA_HOME`.
@@ -38,7 +40,7 @@ To (re-)build versions before that date the unit tests must therefore be skipped
 $ mvn clean install -DskipTests
 ```
 
-Earlier versions (3.0.0-Mx, 2.6.5 and before) may also fail to build with newer JDKs, especially, if java 16 or 17 is used! That is cause by the unit test dependency to a deprecated version of "mockito". If such a (re-)build is required, the unit tests must be skipped (which is in the meantime anyway required caused by the "non-existing.host").
+Earlier versions (3.0.0-Mx, 2.6.5 and before) may also fail to build with newer JDKs, especially, if java 17 is used! That is cause by the unit test dependency to a deprecated version of "mockito". If such a (re-)build is required, the unit tests must be skipped (which is in the meantime anyway required caused by the "non-existing.host").
 
 In combination with the "non-existing.host" now existing, the build with unit test only works for the current heads of the branches `2.6.x`, `2.7.x` and `main`!
 
@@ -76,7 +78,7 @@ $ mvn clean install -DuseToolchainJavadoc=true
 
 ## Build with jdk11 and EdDSA support
 
-To support EdDSA, either java 15, java 16, java 17 or java 11 with [ed25519-java](https://github.com/str4d/ed25519-java) is required at runtime. Using java 15 (or newer) to build Californium, leaves out `ed25519-java`, using java 11 for building, includes `ed25519-java` by default. If `ed25519-java` should **NOT** be included into the californium's jars, add `-Dno.net.i2p.crypto.eddsa=true` to maven's arguments.
+To support EdDSA, either java 17 or java 11 with [ed25519-java](https://github.com/str4d/ed25519-java) is required at runtime. Using java 17 (or newer) to build Californium, leaves out `ed25519-java`, using java 11 for building, includes `ed25519-java` by default. If `ed25519-java` should **NOT** be included into the californium's jars, add `-Dno.net.i2p.crypto.eddsa=true` to maven's arguments.
 
 ```sh
 $ mvn clean install -Dno.net.i2p.crypto.eddsa=true
@@ -94,7 +96,7 @@ In that case, it's still possible to use `ed25519-java`, if the [eddsa-0.3.0.jar
 
 ## Run unit tests using Bouncy Castle as alternative JCE provider
 
-With 3.0 a first, experimental support for using Bouncy Castle (version 1.69, bcprov-jdk15on, bcpkix-jdk15on, and, for tls, bctls-jdk15on) is implemented. With 3.3 the tests are using the updated version 1.70 (for tls also  bcutil-jdk15on is used additionally) and with 3.8 version 1.71.1 is used.
+With 3.0 a first, experimental support for using Bouncy Castle (version 1.69, bcprov-jdk15on, bcpkix-jdk15on, and, for tls, bctls-jdk15on) is implemented. With 3.3 the tests are using the updated version 1.70 (for tls also  bcutil-jdk15on is used additionally) and with 3.8 version 1.72 is used.
 
 To demonstrate the basic functions, run the unit-tests using the profile `bc-tests`
 
@@ -120,7 +122,7 @@ With that, it gets very time consuming to test all combinations. Therefore, if y
 
 # Using Californium in Maven Projects
 
-We are publishing Californium's artifacts for milestones and releases to [Maven Central](https://search.maven.org/search?q=g:org.eclipse.californium%20a:parent%20v:3.7.0).
+We are publishing Californium's artifacts for milestones and releases to [Maven Central](https://search.maven.org/search?q=g:org.eclipse.californium%20a:parent%20v:3.8.0).
 To use the latest released version as a library in your projects, add the following dependency
 to your `pom.xml` (without the dots):
 
@@ -130,7 +132,7 @@ to your `pom.xml` (without the dots):
     <dependency>
             <groupId>org.eclipse.californium</groupId>
             <artifactId>californium-core</artifactId>
-            <version>3.7.0</version>
+            <version>3.8.0</version>
     </dependency>
     ...
   </dependencies>
@@ -154,7 +156,7 @@ You will therefore need to add the Eclipse Repository to your `pom.xml` first:
     ...
   </repositories>
 ```
-You can then simply depend on `3.8.0-SNAPSHOT`.
+You can then simply depend on `3.9.0-SNAPSHOT`.
 
 # Eclipse
 
@@ -177,7 +179,7 @@ In IntelliJ, choose *[File.. &raquo; Open]* then select the location of the clon
 
 A test server is running at <a href="coap://californium.eclipseprojects.io:5683/">coap://californium.eclipseprojects.io:5683/</a>
 
-It is an instance of the [cf-plugtest-server](https://repo.eclipse.org/content/repositories/californium-releases/org/eclipse/californium/cf-plugtest-server/3.7.0/cf-plugtest-server-3.7.0.jar) from the demo-apps.
+It is an instance of the [cf-plugtest-server](https://repo.eclipse.org/content/repositories/californium-releases/org/eclipse/californium/cf-plugtest-server/3.8.0/cf-plugtest-server-3.8.0.jar) from the demo-apps.
 The root resource responds with its current version.
 
 More information can be found at [http://www.eclipse.org/californium](http://www.eclipse.org/californium) and technical details at [https://projects.eclipse.org/projects/iot.californium](https://projects.eclipse.org/projects/iot.californium).
@@ -230,7 +232,7 @@ OSCORE Key Rederivation:
 For some systems (particularly when multicasting), it may be necessary to specify/restrict californium to a particular network interface, or interfaces. This can be
  achieved by setting the `COAP_NETWORK_INTERFACES` JVM parameter to a suitable regex, for example:
 
-`java -DCOAP_NETWORK_INTERFACES='.*wpan0' -jar target/cf-helloworld-server-3.7.0.jar MulticastTestServer`
+`java -DCOAP_NETWORK_INTERFACES='.*wpan0' -jar target/cf-helloworld-server-3.8.0.jar MulticastTestServer`
 
 # Contact
 
@@ -240,3 +242,5 @@ or create an issue here on GitHub.
 # Contributing
 
 Please check out our [contribution guidelines](CONTRIBUTING.md)
+
+There are a couple of [enhancement issues](https://github.com/eclipse-californium/californium/issues?q=is%3Aissue+label%3Ahibernate), which have been closed for longer inactivity. Maybe, if you like to help and spend some time, you will be welcome.

SECURITY.md

@@ -2,19 +2,21 @@
 
 ## Reporting a Vulnerability
 
-Californium supports the use of [GitHub security advisories](https://help.github.com/en/articles/managing-security-vulnerabilities-in-your-project) as pilot for [eclipse](https://www.eclipse.org/) projects. Please consider to use it for reporting vulnerabilities.
+Californium supports the use of [GitHub security advisories](https://help.github.com/en/articles/managing-security-vulnerabilities-in-your-project) as pilot for [eclipse](https://www.eclipse.org/) projects.
 
-Alternatively may also report a vulnerability opening a [bugzilla ticket](https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community&component=Vulnerability+Reports&keywords=security&groups=Security_Advisories).
+To report a vulnerability, [go directly to the form](https://github.com/eclipse-californium/californium/security/advisories/new). Alternatively, switch to the [Security tab](https://github.com/eclipse-californium/californium/security), then click "Report a vulnerability" and another "Report a vulnerability" button again.
+
+You may also report a vulnerability opening a [bugzilla ticket](https://bugs.eclipse.org/bugs/enter_bug.cgi?product=Community&component=Vulnerability+Reports&keywords=security&groups=Security_Advisories).
 
 For more details, please look at [https://www.eclipse.org/security](https://www.eclipse.org/security).
 
 ## Supported Versions
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 3.8.0-SNAPSHOT (main) | :heavy_check_mark: |
-| 3.7.0   | :heavy_check_mark: |
-| 3.6.0, 3.5.0, 3.4.0, 3.3.1, 3.2.0, 3.1.0, 3.0.0 | :question: |
+| 3.9.0-SNAPSHOT (main) | :heavy_check_mark: |
+| 3.8.0   | :heavy_check_mark: |
+| 3.8.0, 3.6.0, 3.5.0, 3.4.0, <br/> 3.3.1, 3.2.0, 3.1.0, <br/> 3.0.0 | :question: |
 | 2.7.4   | :question: |
 | 2.7.3, 2.6.6, 2.5.0, 2.4.1, <br/> 2.3.1, 2.2.3, 2.1.0, <br/> 2.0.0 | :question: |
 | before 2.0.0   | :x: |

assembly/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>org.eclipse.californium</groupId>
 		<artifactId>parent</artifactId>
-		<version>3.8.0-SNAPSHOT</version>
+		<version>3.9.0-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>californium-assembly</artifactId>

bom/pom.xml

@@ -8,7 +8,7 @@
 	<parent>
 		<groupId>org.eclipse.californium</groupId>
 		<artifactId>parent</artifactId>
-		<version>3.8.0-SNAPSHOT</version>
+		<version>3.9.0-SNAPSHOT</version>
 	</parent>
 	<artifactId>cf-bom</artifactId>
  	<packaging>pom</packaging>
@@ -17,7 +17,7 @@
 	<description>Californium (Cf) Bill Of Materials</description>
 
 	<properties>
-		<picocli.version>4.6.3</picocli.version>
+		<picocli.version>4.7.0</picocli.version>
 		<gson.version>2.10</gson.version>
 		<cbor.version>4.5.2</cbor.version>
 		<slf4j.version>1.7.36</slf4j.version>