Merge pull request #374 from ForgeRock/SDKS-2751-security

SDKS-2751 WoodStox + security vulnerability improvements
ForgeRock · Dec 11, 2023 · 8ebf0ff · 8ebf0ff
2 parents 9803dbc + d84d644
commit 8ebf0ff
Show file tree

Hide file tree

Showing 8 changed files with 28 additions and 67 deletions.
diff --git a/build.gradle b/build.gradle
@@ -26,8 +26,6 @@ buildscript {
         classpath "com.adarshr:gradle-test-logger-plugin:2.0.0"
         classpath 'com.google.gms:google-services:4.3.15'
         classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
-        classpath "org.jetbrains.dokka:dokka-gradle-plugin:1.8.20"
-
         // NOTE: Do not place your application dependencies here; they belong
         // in the individual module build.gradle files
     }
@@ -36,15 +34,41 @@ buildscript {
 plugins {
     id('io.github.gradle-nexus.publish-plugin') version '1.1.0'
     id('org.sonatype.gradle.plugins.scan') version '2.4.0'
+    id("org.jetbrains.dokka") version "1.9.10"
 }
 
-apply plugin: "org.jetbrains.dokka"
 
 allprojects {
+    configurations.all {
+
+        resolutionStrategy {
+            // Due to vulnerability [CVE-2022-40152] from dokka project.
+            force 'com.fasterxml.jackson.module:jackson-module-kotlin:2.13.5'
+            force 'com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.13.5'
+            force 'com.fasterxml.jackson.core:jackson-databind:2.13.5'
+            // Junit test project
+            force 'junit:junit:4.13.2'
+            //Due to Vulnerability [CVE-2022-2390]: CWE-471 The product does not properly
+            // protect an assumed-immutable element from being modified by an attacker.
+            // on version < 18.0.1, this library is depended by most of the google libraries.
+            // and needs to be reviewed on upgrades
+            force 'com.google.android.gms:play-services-basement:18.1.0'
+            //Due to Vulnerability [CVE-2023-3635] CWE-681: Incorrect Conversion between Numeric Types
+            //on version < 3.4.0, this library is depended by okhttp, when okhttp upgrade, this needs
+            //to be reviewed
+            force 'com.squareup.okio:okio:3.4.0'
+            //Due to this https://github.com/powermock/powermock/issues/1125, we have to keep using an
+            //older version of mockito until mockito release a fix
+            force 'org.mockito:mockito-core:3.12.4'
+            // this is for the mockwebserver
+            force 'org.bouncycastle:bcprov-jdk15on:1.68'
+        }
+    }
     repositories {
         google()
         mavenCentral()
     }
+
 }
 
 subprojects {

diff --git a/forgerock-auth-ui/build.gradle b/forgerock-auth-ui/build.gradle
@@ -43,11 +43,6 @@ android {
 apply from: '../config/kdoc.gradle'
 apply from: '../config/publish.gradle'
 
-configurations.all {
-    resolutionStrategy {
-        force 'com.google.android.gms:play-services-basement:18.1.0'
-    }
-}
 
 dependencies {
 

diff --git a/forgerock-auth/build.gradle b/forgerock-auth/build.gradle
@@ -11,7 +11,6 @@ apply plugin: 'maven-publish'
 apply plugin: 'signing'
 apply plugin: 'kotlin-android'
 apply plugin: 'kotlin-parcelize'
-apply plugin: 'org.jetbrains.dokka'
 
 android {
     namespace 'org.forgerock.android.auth'
@@ -83,17 +82,6 @@ apply from: '../config/publish.gradle'
  * Dependencies
  *
  */
-configurations.all {
-    resolutionStrategy {
-        force 'com.google.android.gms:play-services-basement:18.1.0'
-        force 'junit:junit:4.13.2'
-        force 'org.bouncycastle:bcprov-jdk15on:1.68'
-        //Due to Vulnerability [CVE-2023-3635] CWE-681: Incorrect Conversion between Numeric Types
-        //on version < 3.4.0, this library is depended by okhttp, when okhttp upgrade, this needs
-        //to be reviewed
-        force 'com.squareup.okio:okio:3.4.0'
-    }
-}
 dependencies {
     api project(':forgerock-core')
     implementation fileTree(dir: 'libs', include: ['*.jar'])

diff --git a/forgerock-authenticator/build.gradle b/forgerock-authenticator/build.gradle
@@ -10,6 +10,7 @@ apply plugin: "com.adarshr.test-logger"
 apply plugin: 'maven-publish'
 apply plugin: 'signing'
 apply plugin: 'kotlin-android'
+// We cannot use kdoc for this project due to Lombak ,so need to add this dokka plugin here.
 apply plugin: 'org.jetbrains.dokka'
 
 android {
@@ -86,14 +87,6 @@ apply from: '../config/publish.gradle'
 /**
  * Dependencies
  */
-configurations.all {
-    resolutionStrategy {
-        //Due to Vulnerability [CVE-2023-3635] CWE-681: Incorrect Conversion between Numeric Types
-        //on version < 3.4.0, this library is depended by okhttp, when okhttp upgrade, this needs
-        //to be reviewed
-        force 'com.squareup.okio:okio:3.4.0'
-    }
-}
 dependencies {
     api project(':forgerock-core')
     implementation fileTree(dir: 'libs', include: ['*.jar'])

diff --git a/forgerock-core/build.gradle b/forgerock-core/build.gradle
@@ -10,7 +10,6 @@ apply plugin: "com.adarshr.test-logger"
 apply plugin: 'maven-publish'
 apply plugin: 'signing'
 apply plugin: 'kotlin-android'
-apply plugin: 'org.jetbrains.dokka'
 
 android {
     namespace 'org.forgerock.android.core'
@@ -65,19 +64,6 @@ apply from: '../config/logger.gradle'
 apply from: '../config/kdoc.gradle'
 apply from: '../config/publish.gradle'
 
-configurations.all {
-    //Due to this https://github.com/powermock/powermock/issues/1125, we have to keep using an
-    //older version of mockito until mockito release a fix
-    resolutionStrategy {
-        force 'org.mockito:mockito-core:3.12.4'
-        // this is for the mockwebserver
-        force 'org.bouncycastle:bcprov-jdk15on:1.68'
-        //Due to Vulnerability [CVE-2023-3635] CWE-681: Incorrect Conversion between Numeric Types
-        //on version < 3.4.0, this library is depended by okhttp, when okhttp upgrade, this needs
-        //to be reviewed
-        force 'com.squareup.okio:okio:3.4.0'
-    }
-}
 /**
  * Dependencies
  */

diff --git a/samples/app/build.gradle b/samples/app/build.gradle
@@ -63,15 +63,6 @@ repositories {
     }
 }
 
-configurations.all {
-    resolutionStrategy {
-        force 'com.google.android.gms:play-services-basement:18.1.0'
-        //Due to Vulnerability [CVE-2023-3635] CWE-681: Incorrect Conversion between Numeric Types
-        //on version < 3.4.0, this library is depended by okhttp, when okhttp upgrade, this needs
-        //to be reviewed
-        force 'com.squareup.okio:okio:3.4.0'
-    }
-}
 dependencies {
 
     def composeBom = platform('androidx.compose:compose-bom:2022.10.00')

diff --git a/samples/auth/build.gradle b/samples/auth/build.gradle
@@ -61,16 +61,6 @@ repositories {
     }
 }
 
-configurations.all {
-    resolutionStrategy {
-        force 'com.google.android.gms:play-services-basement:18.1.0'
-        //Due to Vulnerability [CVE-2023-3635] CWE-681: Incorrect Conversion between Numeric Types
-        //on version < 3.4.0, this library is depended by okhttp, when okhttp upgrade, this needs
-        //to be reviewed
-        force 'com.squareup.okio:okio:3.4.0'
-    }
-}
-
 dependencies {
 
     implementation project(':forgerock-auth')

diff --git a/samples/kotlin/build.gradle b/samples/kotlin/build.gradle
@@ -68,12 +68,6 @@ android {
     }
 }
 
-configurations.all {
-    resolutionStrategy {
-        force 'com.google.android.gms:play-services-basement:18.1.0'
-    }
-}
-
 dependencies {
     implementation project(':forgerock-auth')
     implementation 'net.openid:appauth:0.11.1'