Update libraries and gradle

supppress owasp false positive
okta · Dec 8, 2023 · 1610ed3 · 1610ed3
1 parent 88b3175
commit 1610ed3
Show file tree

Hide file tree

Showing 10 changed files with 98 additions and 30 deletions.
diff --git a/.github/workflows/owasp-dependency-check.yml b/.github/workflows/owasp-dependency-check.yml
@@ -9,7 +9,7 @@ on :
 jobs :
   owaspDependencyCheck :
     runs-on : ubuntu-latest
-    timeout-minutes : 10
+    timeout-minutes : 30
 
     steps :
       - name : Checkout

diff --git a/build.gradle.kts b/build.gradle.kts
@@ -1,13 +1,13 @@
 // Top-level build file where you can add configuration options common to all sub-projects/modules.
 plugins {
-    id("com.android.application") version "8.1.1" apply false
-    id("com.android.library") version "8.1.1" apply false
+    id("com.android.application") version "8.2.0" apply false
+    id("com.android.library") version "8.2.0" apply false
     id("org.jetbrains.kotlin.android") version Version.kotlin apply false
-    id("org.jetbrains.dokka") version "1.9.0" apply false
-    id("com.google.gms.google-services") version "4.3.15" apply false
-    id("org.jetbrains.kotlinx.kover") version "0.7.3" apply false
-    id("org.sonarqube") version "4.3.1.3277" apply true
-    id("io.gitlab.arturbosch.detekt") version "1.23.1" apply false
+    id("org.jetbrains.dokka") version "1.9.10" apply false
+    id("com.google.gms.google-services") version "4.4.0" apply false
+    id("org.jetbrains.kotlinx.kover") version "0.7.5" apply false
+    id("org.sonarqube") version "4.4.1.3373" apply true
+    id("io.gitlab.arturbosch.detekt") version "1.23.4" apply false
 }
 
 buildscript {
@@ -25,6 +25,7 @@ allprojects {
             force("org.bouncycastle:bcprov-jdk18on:1.76")
             force("org.json:json:20230618")
             force("com.google.guava:guava:32.1.2-jre")
+            force("androidx.room:room-runtime:${Version.room}")
         }
     }
 }

diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts
@@ -13,6 +13,6 @@ repositories {
 }
 
 dependencies {
-    implementation("com.diffplug.spotless:spotless-plugin-gradle:6.21.0")
-    implementation("org.owasp:dependency-check-gradle:8.4.0")
+    implementation("com.diffplug.spotless:spotless-plugin-gradle:6.23.3")
+    implementation("org.owasp:dependency-check-gradle:9.0.3")
 }
diff --git a/buildSrc/src/main/java/Version.kt b/buildSrc/src/main/java/Version.kt
@@ -2,14 +2,14 @@
  * Version variables
  */
 object Version {
-    const val kotlin = "1.9.10"
-    const val kotlinSerialization = "1.6.0"
+    const val kotlin = "1.9.21"
+    const val kotlinSerialization = "1.6.2"
     const val coroutine = "1.7.3"
-    const val room = "2.5.2"
+    const val room = "2.6.1"
     const val extJunit = "1.1.5"
     const val archLifecycleVersion = "2.6.2"
-    const val compose = "1.5.1"
-    const val composeCompiler = "1.5.3"
+    const val compose = "1.5.4"
+    const val composeCompiler = "1.5.6"
     const val devicesAuthenticator = "0.0.15"
     const val devicesCore = "0.0.15"
     const val devicesStorage = "0.0.15"

diff --git a/config/owasp-suppression.xml b/config/owasp-suppression.xml
@@ -5,7 +5,8 @@
    file name: kotlinx-coroutines-play-services-1.6.4.jar
    ]]></notes>
         <packageUrl regex="true">
-            ^pkg:maven/org\.jetbrains\.kotlinx/kotlinx\-coroutines\-play\-services@.*$</packageUrl>
+            ^pkg:maven/org\.jetbrains\.kotlinx/kotlinx\-coroutines\-play\-services@.*$
+        </packageUrl>
         <cve>CVE-2020-22475</cve>
     </suppress>
     <suppress>
@@ -22,15 +23,76 @@
    file name: kotlinx-coroutines-play-services-1.6.4.jar
    ]]></notes>
         <packageUrl regex="true">
-            ^pkg:maven/org\.jetbrains\.kotlinx/kotlinx\-coroutines\-play\-services@.*$</packageUrl>
+            ^pkg:maven/org\.jetbrains\.kotlinx/kotlinx\-coroutines\-play\-services@.*$
+        </packageUrl>
         <cve>CVE-2022-39349</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
    file name: datastore-preferences-core-1.0.0.jar
    ]]></notes>
         <packageUrl regex="true">
-            ^pkg:maven/org\.jetbrains\.kotlinx/kotlinx\-coroutines\-play\-services@.*$</packageUrl>
+            ^pkg:maven/org\.jetbrains\.kotlinx/kotlinx\-coroutines\-play\-services@.*$
+        </packageUrl>
         <cve>CVE-2022-39349</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name:sqlite-framework.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/androidx\.sqlite/sqlite\-framework@.*$</packageUrl>
+        <cve>CVE-2019-19646</cve>
+        <cve>CVE-2018-20346</cve>
+        <cve>CVE-2015-6607</cve>
+        <cve>CVE-2018-20505</cve>
+        <cve>CVE-2019-19645</cve>
+        <cve>CVE-2020-11656</cve>
+        <cve>CVE-2020-11655</cve>
+        <cve>CVE-2016-6153</cve>
+        <cve>CVE-2022-35737</cve>
+        <cve>CVE-2020-13631</cve>
+        <cve>CVE-2020-13434</cve>
+        <cve>CVE-2020-13632</cve>
+        <cve>CVE-2020-15358</cve>
+        <cve>CVE-2020-13435</cve>
+        <cve>CVE-2015-3717</cve>
+        <cve>CVE-2020-13630</cve>
+        <cve>CVE-2018-8740</cve>
+        <cve>CVE-2017-10989</cve>
+        <cve>CVE-2018-20506</cve>
+        <cve>CVE-2015-3416</cve>
+        <cve>CVE-2015-3415</cve>
+        <cve>CVE-2015-3414</cve>
+        <cve>CVE-2015-5895</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name:sqlite.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/androidx\.sqlite/sqlite@.*$</packageUrl>
+        <cve>CVE-2019-19646</cve>
+        <cve>CVE-2018-20346</cve>
+        <cve>CVE-2015-6607</cve>
+        <cve>CVE-2018-20505</cve>
+        <cve>CVE-2019-19645</cve>
+        <cve>CVE-2020-11656</cve>
+        <cve>CVE-2020-11655</cve>
+        <cve>CVE-2016-6153</cve>
+        <cve>CVE-2022-35737</cve>
+        <cve>CVE-2020-13631</cve>
+        <cve>CVE-2020-13434</cve>
+        <cve>CVE-2020-13632</cve>
+        <cve>CVE-2020-15358</cve>
+        <cve>CVE-2020-13435</cve>
+        <cve>CVE-2015-3717</cve>
+        <cve>CVE-2020-13630</cve>
+        <cve>CVE-2018-8740</cve>
+        <cve>CVE-2017-10989</cve>
+        <cve>CVE-2018-20506</cve>
+        <cve>CVE-2015-3416</cve>
+        <cve>CVE-2015-3415</cve>
+        <cve>CVE-2015-3414</cve>
+        <cve>CVE-2015-5895</cve>
+    </suppress>
+
 </suppressions>
diff --git a/devices-push/build.gradle.kts b/devices-push/build.gradle.kts
@@ -65,24 +65,24 @@ dependencies {
     implementation("androidx.biometric:biometric:1.2.0-alpha05")
     implementation("org.jetbrains.kotlin:kotlin-stdlib:${Version.kotlin}")
     implementation("org.jetbrains.kotlinx:kotlinx-coroutines-android:${Version.coroutine}")
-    implementation("androidx.core:core-ktx:1.10.1")
+    implementation("androidx.core:core-ktx:1.12.0")
     implementation("io.jsonwebtoken:jjwt-api:0.11.5")
     runtimeOnly("io.jsonwebtoken:jjwt-impl:0.11.5")
     runtimeOnly("io.jsonwebtoken:jjwt-orgjson:0.11.5") {
         exclude(group = "org.json", module = "json") // provided by Android natively
     }
-    implementation("com.squareup.okhttp3:okhttp:4.11.0")
+    implementation("com.squareup.okhttp3:okhttp:4.12.0")
 
-    testImplementation("com.squareup.okhttp3:logging-interceptor:4.11.0")
+    testImplementation("com.squareup.okhttp3:logging-interceptor:4.12.0")
     testImplementation("com.okta.devices:devices-fake-server:${Version.devicesFakeServer}")
     testImplementation("androidx.arch.core:core-testing:2.2.0")
     testImplementation("androidx.room:room-testing:${Version.room}")
     testImplementation("org.jetbrains.kotlin:kotlin-test:${Version.kotlin}")
     testImplementation("org.jetbrains.kotlinx:kotlinx-coroutines-test:${Version.coroutine}")
     testImplementation("junit:junit:4.13.2")
     testImplementation("androidx.test.ext:junit-ktx:${Version.extJunit}")
-    testImplementation("org.robolectric:robolectric:4.10.3")
-    testImplementation("com.squareup.okhttp3:mockwebserver:4.11.0")
+    testImplementation("org.robolectric:robolectric:4.11.1")
+    testImplementation("com.squareup.okhttp3:mockwebserver:4.12.0")
     testImplementation("io.mockk:mockk:1.13.7")
     testImplementation("org.hamcrest:hamcrest-library:2.2")
     testImplementation("org.jetbrains.kotlinx:kotlinx-serialization-json:${Version.kotlinSerialization}")

diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.5-bin.zip
 networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
diff --git a/gradlew b/gradlew
@@ -83,7 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -130,10 +131,13 @@ location of your Java installation."
     fi
 else
     JAVACMD=java
-    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
+    fi
 fi
 
 # Increase the maximum file descriptors if we can.

diff --git a/push-sample-app/build.gradle.kts b/push-sample-app/build.gradle.kts
@@ -68,15 +68,15 @@ android {
 dependencies {
     implementation(project(":devices-push"))
 
-    implementation(platform("com.okta.kotlin:bom:1.1.5"))
+    implementation(platform("com.okta.kotlin:bom:1.2.0"))
     implementation("com.okta.kotlin:auth-foundation")
     implementation("com.okta.kotlin:oauth2")
     implementation("com.okta.kotlin:web-authentication-ui")
 
-    implementation("androidx.core:core-ktx:1.10.1")
+    implementation("androidx.core:core-ktx:1.12.0")
     implementation("androidx.appcompat:appcompat:1.6.1")
     implementation("androidx.biometric:biometric:1.2.0-alpha05")
-    implementation("androidx.activity:activity-compose:1.7.2")
+    implementation("androidx.activity:activity-compose:1.8.1")
     implementation("androidx.lifecycle:lifecycle-viewmodel-compose:${Version.archLifecycleVersion}")
     implementation("androidx.compose.material:material:${Version.compose}")
     implementation("androidx.compose.ui:ui:${Version.compose}")
@@ -89,7 +89,7 @@ dependencies {
     implementation("com.jakewharton.timber:timber:5.0.1")
 
     // Firebase BoM
-    implementation(platform("com.google.firebase:firebase-bom:32.2.3"))
+    implementation(platform("com.google.firebase:firebase-bom:32.7.0"))
     implementation("com.google.firebase:firebase-messaging-ktx")
     implementation("androidx.security:security-crypto-ktx:1.1.0-alpha06")
 }