fix: pin OkHttp (4.12.0), Guava (33.0.0-jre), and Json (20231013) ver…

…sions due to the Security Advisories Signed-off-by: Artyom Shendrik <[email protected]>
fluxo-kt · Dec 26, 2023 · af4ec27 · af4ec27
1 parent f1060ee
commit af4ec27
Show file tree

Hide file tree

Showing 9 changed files with 92 additions and 60 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,7 @@
 
 ### Updated
 - bump Kotlin from _1.9.21_ to _1.9.22_.
+- pin OkHttp (4.12.0), Guava (33.0.0-jre), and Json (20231013) versions due to the Security Advisories.
 
 
 ## [0.5.0] - 2023-12-24

diff --git a/checks/gradle-plugin/dependencies/classpath.txt b/checks/gradle-plugin/dependencies/classpath.txt
@@ -17,9 +17,10 @@ com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.2.1
 com.gradle.publish:plugin-publish-plugin:1.2.1
 com.squareup.moshi:moshi-kotlin:1.12.0
 com.squareup.moshi:moshi:1.12.0
-com.squareup.okhttp3:okhttp:4.11.0
-com.squareup.okio:okio-jvm:3.2.0
-com.squareup.okio:okio:3.2.0
+com.squareup.okhttp3:okhttp-bom:4.12.0
+com.squareup.okhttp3:okhttp:4.12.0
+com.squareup.okio:okio-jvm:3.6.0
+com.squareup.okio:okio:3.6.0
 commons-codec:commons-codec:1.16.0
 dev.equo.ide:solstice:1.7.4
 io.gitlab.arturbosch.detekt:detekt-gradle-plugin:1.23.4
@@ -49,7 +50,6 @@ org.jetbrains.kotlin:kotlin-scripting-common:1.9.22
 org.jetbrains.kotlin:kotlin-scripting-compiler-embeddable:1.9.22
 org.jetbrains.kotlin:kotlin-scripting-compiler-impl-embeddable:1.9.22
 org.jetbrains.kotlin:kotlin-scripting-jvm:1.9.22
-org.jetbrains.kotlin:kotlin-stdlib-common:1.6.20
 org.jetbrains.kotlin:kotlin-tooling-core:1.9.22
 org.jetbrains.kotlin:kotlin-util-io:1.9.22
 org.jetbrains.kotlin:kotlin-util-klib:1.9.22

diff --git a/checks/main/dependencies/classpath.txt b/checks/main/dependencies/classpath.txt
@@ -76,9 +76,10 @@ com.googlecode.javaewah:JavaEWAH:1.2.3
 com.googlecode.juniversalchardet:juniversalchardet:1.0.3
 com.squareup.moshi:moshi-kotlin:1.12.0
 com.squareup.moshi:moshi:1.12.0
-com.squareup.okhttp3:okhttp:4.11.0
-com.squareup.okio:okio-jvm:3.2.0
-com.squareup.okio:okio:3.2.0
+com.squareup.okhttp3:okhttp-bom:4.12.0
+com.squareup.okhttp3:okhttp:4.12.0
+com.squareup.okio:okio-jvm:3.6.0
+com.squareup.okio:okio:3.6.0
 com.squareup:javapoet:1.10.0
 com.squareup:javawriter:2.5.0
 com.sun.activation:javax.activation:1.2.0
@@ -153,7 +154,6 @@ org.jetbrains.kotlin:kotlin-scripting-common:1.9.22
 org.jetbrains.kotlin:kotlin-scripting-compiler-embeddable:1.9.22
 org.jetbrains.kotlin:kotlin-scripting-compiler-impl-embeddable:1.9.22
 org.jetbrains.kotlin:kotlin-scripting-jvm:1.9.22
-org.jetbrains.kotlin:kotlin-stdlib-common:1.9.20
 org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.9.0
 org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0
 org.jetbrains.kotlin:kotlin-stdlib:1.9.20

diff --git a/fluxo-kmp-conf/build.gradle.kts b/fluxo-kmp-conf/build.gradle.kts
@@ -45,6 +45,7 @@ setupGradlePlugin(
 configurations.implementation {
     exclude(group = "org.jetbrains.kotlin", module = "kotlin-stdlib")
     exclude(group = "org.jetbrains.kotlin", module = "kotlin-stdlib-jdk8")
+    exclude(group = "org.jetbrains.kotlin", module = "kotlin-stdlib-common")
 }
 
 dependencies {
@@ -53,6 +54,8 @@ dependencies {
     // Detekt ReportMergeTask is used internally
     implementation(libs.plugin.detekt)
 
+    implementation(platform(libs.okhttp.bom))
+
     compileOnly(libs.detekt.core)
     compileOnly(libs.ktlint)
 

diff --git a/fluxo-kmp-conf/dependencies/compileClasspath.txt b/fluxo-kmp-conf/dependencies/compileClasspath.txt
@@ -21,11 +21,11 @@ com.github.gmazzo.buildconfig:com.github.gmazzo.buildconfig.gradle.plugin:5.1.0
 com.github.gmazzo.buildconfig:plugin:5.1.0
 com.google.code.findbugs:jsr305:3.0.2
 com.google.devtools.ksp:symbol-processing-gradle-plugin:1.9.22-1.0.16
-com.google.errorprone:error_prone_annotations:2.11.0
-com.google.guava:failureaccess:1.0.1
-com.google.guava:guava:31.1-jre
+com.google.errorprone:error_prone_annotations:2.23.0
+com.google.guava:failureaccess:1.0.2
+com.google.guava:guava:33.0.0-jre
 com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.j2objc:j2objc-annotations:1.3
+com.google.j2objc:j2objc-annotations:2.8
 com.gradle.enterprise:com.gradle.enterprise.gradle.plugin:3.16.1
 com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.2.1
 com.gradle.publish:plugin-publish-plugin:1.2.1
@@ -39,7 +39,8 @@ com.savvasdalkitsis.module-dependency-graph:com.savvasdalkitsis.module-dependenc
 com.savvasdalkitsis:module-dependency-graph:0.12
 com.squareup.moshi:moshi-adapters:1.14.0
 com.squareup.moshi:moshi:1.14.0
-com.squareup.okhttp3:okhttp:3.14.9
+com.squareup.okhttp3:okhttp-bom:4.12.0
+com.squareup.okhttp3:okhttp:4.12.0
 com.squareup.okio:okio-jvm:3.7.0
 com.squareup.okio:okio:3.7.0
 com.squareup.retrofit2:retrofit:2.9.0
@@ -59,7 +60,7 @@ org.apache.maven:maven-model:3.6.3
 org.barfuin.gradle.taskinfo:gradle-taskinfo:2.1.0
 org.barfuin.gradle.taskinfo:org.barfuin.gradle.taskinfo.gradle.plugin:2.1.0
 org.barfuin.texttree:text-tree:2.1.2
-org.checkerframework:checker-qual:3.12.0
+org.checkerframework:checker-qual:3.41.0
 org.jetbrains.compose:compose-gradle-plugin:1.5.11
 org.jetbrains.dokka:dokka-core:1.9.10
 org.jetbrains.dokka:dokka-gradle-plugin:1.9.10

diff --git a/fluxo-kmp-conf/dependencies/runtimeClasspath.txt b/fluxo-kmp-conf/dependencies/runtimeClasspath.txt
@@ -13,7 +13,8 @@ com.googlecode.concurrent-trees:concurrent-trees:2.6.1
 com.googlecode.javaewah:JavaEWAH:1.2.3
 com.squareup.moshi:moshi-kotlin:1.12.0
 com.squareup.moshi:moshi:1.12.0
-com.squareup.okhttp3:okhttp:4.11.0
+com.squareup.okhttp3:okhttp-bom:4.12.0
+com.squareup.okhttp3:okhttp:4.12.0
 com.squareup.okio:okio-jvm:3.7.0
 com.squareup.okio:okio:3.7.0
 commons-codec:commons-codec:1.16.0

diff --git a/fluxo-kmp-conf/detekt-baseline.xml b/fluxo-kmp-conf/detekt-baseline.xml
@@ -4,7 +4,6 @@
   <CurrentIssues>
     <ID>ArgumentListWrapping:LoadAndApplyPluginIfNotApplied.kt$("Found plugin '$pluginId' class on the classpath for '${project.path}': $className")</ID>
     <ID>ComplexCondition:SetupTestsReport.kt$!enabled || mergedReportTask == null || mergedReportService == null || !isTestTaskAllowed()</ID>
-    <ID>CyclomaticComplexMethod:DependencyPinningBundle.kt$internal fun FluxoKmpConfContext.prepareDependencyPinningBundle()</ID>
     <ID>CyclomaticComplexMethod:LoadAndApplyPluginIfNotApplied.kt$private fun FluxoKmpConfContext.loadPluginArtifactAndGetClass( pluginId: String, pluginVersion: String?, className: String?, catalogPluginAlias: String?, lookupClassName: Boolean, canLoadDynamically: Boolean, project: Project, ): Class&lt;*>?</ID>
     <ID>CyclomaticComplexMethod:SetupAndroidLint.kt$internal fun Project.setupAndroidLint( conf: FluxoConfigurationExtensionImpl, ignoredBuildTypes: List&lt;String>, ignoredFlavors: List&lt;String>, )</ID>
     <ID>ForbiddenComment:AndroidTarget.kt$AndroidTarget$// FIXME: Implement API for source sets.</ID>
@@ -107,8 +106,6 @@
     <ID>MaximumLineLength:PropsAndEnv.kt$ </ID>
     <ID>MaximumLineLength:SetupTestsReport.kt$ </ID>
     <ID>MaximumLineLength:VersionCatalogUtils.kt$internal</ID>
-    <ID>MultiLineIfElse:DependencyPinningBundle.kt$for (alias in bundleAliases) { // Filter "pinned and "pinned.*" bundles alias.startsWith(ALIAS, ignoreCase = true) &amp;&amp; alias.run { val l = length l == ALIAS.length || l > ALIAS.length &amp;&amp; this[ALIAS.length] == '.' } || continue val bundle = libs.b(alias)?.get() if (bundle.isNullOrEmpty()) { continue } logger.l("Pinning ${bundle.size} dependencies from version catalog bundle '$alias'") val reason = "$PIN_REASON from bundle '$alias'" for (dep in bundle) { val constraint = dep.versionConstraint.toString() with(rootProject) { logDependency("pinned", dep, " ('$alias' constraint)") } pinnedDeps[dep.module] = Pair(constraint, reason) } }</ID>
-    <ID>NestedBlockDepth:DependencyPinningBundle.kt$internal fun FluxoKmpConfContext.prepareDependencyPinningBundle()</ID>
     <ID>NestedBlockDepth:KotlinSourceSetsReportTask.kt$KotlinSourceSetsReportTask.KotlinSourceSetsModel$fun buildTrees(): List&lt;GraphNode></ID>
     <ID>NestedBlockDepth:LoadAndApplyPluginIfNotApplied.kt$private fun FluxoKmpConfContext.getPluginIdAndVersion( id: String, version: String?, catalogPluginIds: Array&lt;out String>? = null, catalogPluginId: String?, logger: Logger, catalogVersionIds: Array&lt;out String>?, catalogVersionId: String?, ): Triple&lt;String, String?, String?></ID>
     <ID>NestedBlockDepth:LoadAndApplyPluginIfNotApplied.kt$private fun FluxoKmpConfContext.loadPluginArtifactAndGetClass( pluginId: String, pluginVersion: String?, className: String?, catalogPluginAlias: String?, lookupClassName: Boolean, canLoadDynamically: Boolean, project: Project, ): Class&lt;*>?</ID>

diff --git a/fluxo-kmp-conf/src/main/kotlin/fluxo/conf/feat/DependencyPinningBundle.kt b/fluxo-kmp-conf/src/main/kotlin/fluxo/conf/feat/DependencyPinningBundle.kt
@@ -7,33 +7,17 @@ import fluxo.conf.impl.d
 import fluxo.conf.impl.l
 import fluxo.conf.impl.logDependency
 import org.gradle.api.artifacts.ModuleIdentifier
+import org.gradle.api.logging.Logger
 
 internal fun FluxoKmpConfContext.prepareDependencyPinningBundle() {
     val libs = libs ?: return
     val logger = rootProject.logger
 
     val pinnedDeps = HashMap<ModuleIdentifier, Pair<String, String>>()
     val bundleAliases = libs.bundleAliases
-    if (bundleAliases.isNotEmpty()) for (alias in bundleAliases) {
-        // Filter "pinned and "pinned.*" bundles
-        alias.startsWith(ALIAS, ignoreCase = true) && alias.run {
-            val l = length
-            l == ALIAS.length || l > ALIAS.length && this[ALIAS.length] == '.'
-        } || continue
-
-        val bundle = libs.b(alias)?.get()
-        if (bundle.isNullOrEmpty()) {
-            continue
-        }
-        logger.l("Pinning ${bundle.size} dependencies from version catalog bundle '$alias'")
-
-        val reason = "$PIN_REASON from bundle '$alias'"
-        for (dep in bundle) {
-            val constraint = dep.versionConstraint.toString()
-            with(rootProject) {
-                logDependency("pinned", dep, " ('$alias' constraint)")
-            }
-            pinnedDeps[dep.module] = Pair(constraint, reason)
+    if (bundleAliases.isNotEmpty()) {
+        for (alias in bundleAliases) {
+            collectPinnedDependencies(alias, logger, pinnedDeps)
         }
     }
 
@@ -53,6 +37,32 @@ internal fun FluxoKmpConfContext.prepareDependencyPinningBundle() {
     }
 }
 
+private fun FluxoKmpConfContext.collectPinnedDependencies(
+    alias: String,
+    logger: Logger,
+    pinnedDeps: HashMap<ModuleIdentifier, Pair<String, String>>,
+) {
+    // Filter "pinned and "pinned.*" bundles
+    alias.startsWith(ALIAS, ignoreCase = true) && alias.run {
+        val l = length
+        l == ALIAS.length || l > ALIAS.length && this[ALIAS.length] == '.'
+    } || return
+
+    val bundle = libs.b(alias)?.get()
+    if (bundle.isNullOrEmpty()) {
+        return
+    }
+    logger.l("Pinning ${bundle.size} dependencies from version catalog bundle '$alias'")
+
+    val reason = "$PIN_REASON from bundle '$alias'"
+    for (dep in bundle) {
+        with(rootProject) {
+            logDependency("pinned", dep)
+        }
+        pinnedDeps[dep.module] = Pair(dep.versionConstraint.toString(), reason)
+    }
+}
+
 private const val ALIAS = VC_PINNED_BUNDLE_ALIAS
 
 private const val PIN_REASON = "Pinned due to security recommendations or other considerations"
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -35,21 +35,21 @@ ksp = "1.9.22-1.0.16"
 # region Android specific
 
 # SDK Versions:
-# 21  -> Android 5.0   (November 2014)  LOLLIPOP
-# 22  -> Android 5.1   (March 2015)     LOLLIPOP_MR1
-# 23  -> Android 6.0   (August 2015)    M
-# 24  -> Android 7.0   (August 2016)    N
-# 25  -> Android 7.1   (October 2016)   N_MR1
-# 26  -> Android 8.0   (August 2017)    O
-# 27  -> Android 8.1   (December 2017)  O_MR1
-# 28  -> Android 9.0   (August 2018)    PIE
-# 29  -> Android 10.0  (September 2019) Q
-# 30  -> Android 11.0  (September 2020) R
-# 31  -> Android 12.0  (October 2021)   S
-# 32  -> Android 12L   (March 2022)     S_V2
-# 33  -> Android 13    (August 2022)    TIRAMISU
-# 34  -> Android 14    (October 2023)   UPSIDE_DOWN_CAKE
-# 35  -> Android 15    (Q3 2024)        V
+# 21 → Android 5.0 (November 2014)  LOLLIPOP
+# 22 → Android 5.1 (March 2015)     LOLLIPOP_MR1
+# 23 → Android 6.0 (August 2015)    M
+# 24 → Android 7.0 (August 2016)    N
+# 25 → Android 7.1 (October 2016)   N_MR1
+# 26 → Android 8.0 (August 2017)    O
+# 27 → Android 8.1 (December 2017)  O_MR1
+# 28 → Android 9.0 (August 2018)    PIE
+# 29 → Android 10  (September 2019) Q
+# 30 → Android 11  (September 2020) R
+# 31 → Android 12  (October 2021)   S
+# 32 → Android 12L (March 2022)     S_V2
+# 33 → Android 13  (August 2022)    TIRAMISU
+# 34 → Android 14  (October 2023)   UPSIDE_DOWN_CAKE
+# 35 → Android 15  (Q3 2024)        V
 #
 # see:
 #  https://apilevels.com
@@ -79,7 +79,7 @@ androidLastSdk = "34"
 
 # Preview API for `MAX_DEBUG` builds
 # Zero value used to ignore this setting
-# E.g., to try out the Android U preview use `androidPreviewSdk = "U"`
+# E.g., to use the Android U preview use `androidPreviewSdk = "U"`
 androidPreviewSdk = "0"
 
 # Compilers, packaging, deployment tools for Android apps.
@@ -99,7 +99,7 @@ android-gradle-plugin = "8.2.0"
 bcv = "0.13.2"
 
 # Kotlin/JS API support for the KotlinX Binary Compatibility Validator based on the generated TS definitions.
-# https://github.com/fluxo-kt/fluxo-bcv-js/releases
+# https://github.com/fluxo-kt/fluxo-bcv-js/releases.
 fluxo-bcv-js = "0.2.0"
 
 # Dokka is a documentation engine for Kotlin/Java
@@ -121,15 +121,30 @@ spotless = "6.23.3"
 # https://github.com/JetBrains/gradle-intellij-plugin/releases
 gradle-intellij-plugin = "1.16.1"
 
-# KMP I/O library
-# https://github.com/advisories/GHSA-w33c-445m-f8w7
+
+# region Pinned dependencies
+# WARN: the versions are pinned, so no rich syntax supported!
+
+# KMP I/O library.
 # https://square.github.io/okio/changelog/
-# WARN: the version is pinned, so no rich syntax supported!
 okio = "3.7.0"
 
+# KMP I/O library.
+# https://square.github.io/okhttp/changelogs/changelog_4x/
+okhttp = "4.12.0"
 
-[libraries]
+# Google core libraries for Java.
+# https://github.com/google/guava/releases
+guava = "33.0.0-jre"
+
+# Douglas Crockford's reference Java implementation of a JSON.
+# https://github.com/stleary/JSON-java/releases
+json = "20231013"
 
+# endregion
+
+
+[libraries]
 ktlint = { module = "com.pinterest.ktlint:ktlint-cli", version.ref = "ktlint" }
 
 # https://github.com/mrmans0n/compose-rules/releases
@@ -146,13 +161,17 @@ plugin-kotlin = { module = "org.jetbrains.kotlin:kotlin-gradle-plugin", version.
 plugin-ksp = { module = "com.google.devtools.ksp:symbol-processing-gradle-plugin", version.ref = "ksp" }
 plugin-spotless = { module = "com.diffplug.spotless:spotless-plugin-gradle", version.ref = "spotless" }
 
+okhttp-bom = { module = "com.squareup.okhttp3:okhttp-bom", version.ref = "okhttp" }
+okhttp = { module = "com.squareup.okhttp3:okhttp", version.ref = "okhttp" }
 okio = { module = "com.squareup.okio:okio", version.ref = "okio" }
 okio-jvm = { module = "com.squareup.okio:okio-jvm", version.ref = "okio" }
+guava = { module = "com.google.guava:guava", version.ref = "guava" }
+json = { module = "org.json:json", version.ref = "json" }
 
 
 [bundles]
 # Auto-pinned by the configuration plugin
-pinned = ["okio", "okio-jvm"]
+pinned = ["okhttp", "okio", "okio-jvm", "guava", "json"]
 
 
 [plugins]