Upgrade 'okio' dependency in plugin classpath

bigdaz · bigdaz · commit 11a6f55ad989 · 2024-02-11T18:02:44.000-07:00
The dependency 'com.squareup.okio:okio:3.0.0', brought in by the
'com.github.breadmoirai.github-release' plugin, has a known
vulnerability.
The vulnerability is fixed in v3.4.0.
diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -85,4 +85,3 @@ jobs:
                 name: plugin-json
                 path: build/reports/dependency-graph-snapshots/plugin-self-test.json
                 if-no-files-found: error
-
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -11,6 +11,7 @@ jackson-kotlin = { group = "com.fasterxml.jackson.module", name = "jackson-modul
 apache-commons-io = { group = "commons-io", name = "commons-io", version = "2.15.1" }
 
 github-packageurl = { group = "com.github.package-url", name = "packageurl-java", version = "1.5.0" }
+okio = { group = "com.squareup.okio", name = "okio", version = "3.4.0" }
 
 ### Test dependencies
 
diff --git a/plugin/build.gradle.kts b/plugin/build.gradle.kts
@@ -5,6 +5,20 @@ import org.jetbrains.kotlin.gradle.dsl.KotlinVersion
 import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 import java.util.jar.JarFile
 
+// Upgrade transitive dependencies in plugin classpath
+buildscript {
+    repositories {
+        gradlePluginPortal()
+    }
+    dependencies {
+        constraints {
+            // The plugin com.github.breadmoirai.github-release:2.5.2 has dependency on com.squareup.okio:okio:3.0.0
+            // which has reported vulnerability CVE-2023-3635. Use a newer version.
+            classpath(libs.okio)
+        }
+    }
+}
+
 plugins {
     kotlin("jvm") version(libs.versions.kotlin)
     alias(libs.plugins.plugin.publish)
