Merge branch 'bump-agp-plugin-droid-1112'

mullvad · Sep 24, 2024 · 7031dc2 · 7031dc2
2 parents a6444fa + e956421
commit 7031dc2
Show file tree

Hide file tree

Showing 5 changed files with 260 additions and 321 deletions.
diff --git a/android/build.gradle.kts b/android/build.gradle.kts
@@ -109,7 +109,11 @@ allprojects {
 
     configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
         failBuildOnCVSS = 0F // All severity levels
-        suppressionFile = "${rootProject.projectDir}/config/dependency-check-suppression.xml"
+        suppressionFiles =
+            listOf(
+                "${rootProject.projectDir}/config/dependency-check-suppression.xml",
+                "${rootProject.projectDir}/config/dependency-check-suppression-agp-fixes.xml",
+            )
     }
 
     configure<com.ncorti.ktfmt.gradle.KtfmtExtension> {

diff --git a/android/config/dependency-check-suppression-agp-fixes.xml b/android/config/dependency-check-suppression-agp-fixes.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+        This and all other supressions in this file are for dependencies only used for tests.
+        These should be excluded by the plugin but this behaviour is broken.
+        Added here until we can fix the plugin behaviour.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/.*@.*$</packageUrl>
+        <cve>CVE-2022-41881</cve>
+        <cve>CVE-2023-44487</cve>
+        <cve>CVE-2023-34462</cve>
+        <cve>CVE-2022-24823</cve>
+        <cve>CVE-2024-29025</cve>
+        <cve>CVE-2022-41915</cve>
+    </suppress>
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+        This and all other supressions in this file are for dependencies only used for tests.
+        These should be excluded by the plugin but this behaviour is broken.
+        Added here until we can fix the plugin behaviour.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.protobuf/.*@.*$</packageUrl>
+        <cve>CVE-2024-7254</cve>
+        <cve>CVE-2022-3171</cve>
+        <cve>CVE-2022-3510</cve>
+        <cve>CVE-2021-22569</cve>
+    </suppress>
+    <suppress until="2024-12-01Z">
+        <notes><![CDATA[
+        This and all other supressions in this file are for dependencies only used for tests.
+        These should be excluded by the plugin but this behaviour is broken.
+        Added here until we can fix the plugin behaviour.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com.google.guava/guava@.*$</packageUrl>
+        <cve>CVE-2023-2976</cve>
+        <cve>CVE-2020-8908</cve>
+    </suppress>
+</suppressions>
+
diff --git a/android/gradle.properties b/android/gradle.properties
@@ -3,4 +3,3 @@ android.nonTransitiveRClass=false
 android.useAndroidX=true
 kotlin.code.style=official
 org.gradle.jvmargs=-Xmx8192M -Dkotlin.daemon.jvm.options\="-Xmx8192M"
-android.experimental.lint.version = 8.4.0
diff --git a/android/gradle/libs.versions.toml b/android/gradle/libs.versions.toml
@@ -3,8 +3,8 @@
 # The android-gradle-aapt plugin version must be in sync with the android plugin version.
 # Required for Gradle metadata verification to work properly, see:
 # https://github.com/gradle/gradle/issues/19228
-android-gradle-plugin = "8.3.0"
-android-gradle-aapt = "10880808"
+android-gradle-plugin = "8.6.1"
+android-gradle-aapt = "11315950"
 android-billingclient = "7.0.0"
 android-volley = "1.2.1"