beercanx

How to security patch the Android Gradle Plugin

Its got two main areas, the plugin itself in the buildscript and its UTP (Unified Test Platform) in the configurations, they share some similar dependencies but not idential and because of this some patching might get missed at a component level.

See the build.gradle.kts for code examples.

For a long time I couldn't understand where the extra dependencies kept coming from, including duplicates of the same library but at different versions, for more details ramblings, and where I initially wrote up my findings go read this beercanx/retro-brick-game-raylib#30 (comment)

beercanx

Dependabot scripts

A collection of basic look up scripts to find all known vulnerabilities and any outstanding PRs from Dependabot.

Just replace '<<USERNAME>>' with your username, and gh needs to be installed and setup.

Listing all known security vulnerabilities

powershell

gh repo list '<<USERNAME>>' --no-archived --json nameWithOwner -q '.[].nameWithOwner' | ForEach-Object { echo "=== $_ ==="; gh api --paginate "/repos/$_/dependabot/alerts?state=open" --jq '.[] | {number, created_at, "severity": .security_vulnerability?.severity, "package": .security_vulnerability?.package?.name, "summary": .security_advisory?.summary, "url": .html_url}'; }

beercanx

FROM rockylinux:9

# Install the JRE and JDK
RUN dnf -y update && \
    dnf -y install java-17-openjdk java-17-openjdk-devel

# Create an example certificate to trust
RUN openssl req -nodes -new -x509 -keyout test.baconi.co.uk.key -out test.baconi.co.uk.crt -subj '/C=GB/L=Sheffield/O=Baconi/CN=test.baconi.co.uk' && \
    cp -av test.baconi.co.uk.crt /etc/pki/ca-trust/source/anchors/test.baconi.co.uk.crt

beercanx

Create test Jenkins

docker run -it --rm --name jenkins -p '8080:8080' jenkins:alpine

Install

• Login as Admin
• Accept the standard plugins
• Continue as Admin
• Install AnsiColor plugin