How to security patch the Android Gradle Plugin

README.md

How to security patch the Android Gradle Plugin

Its got two main areas, the plugin itself in the buildscript and its UTP (Unified Test Platform) in the configurations, they share some similar dependencies but not idential and because of this some patching might get missed at a component level.

See the build.gradle.kts for code examples.

For a long time I couldn't understand where the extra dependencies kept coming from, including duplicates of the same library but at different versions, for more details ramblings, and where I initially wrote up my findings go read this beercanx/retro-brick-game-raylib#30 (comment)

build.gradle.kts

plugins {
    id("com.android.application") version "8.13.2"
}

repositories {
    google()
    mavenCentral()
}

buildscript {

    // Review these on each update of the AGP (com.android.application)
    gradle.extra["securityPatches"] = listOf(
        "org.apache.httpcomponents:httpclient:4.5.14", // 4.5.12 has vulnerabilities
        // ..etc
    )

    // Handles the patching of the Android Gradle Plugin
    dependencies {
        constraints {
            for (securityPatch in gradle.extra["securityPatches"] as List<String>) {
                classpath(securityPatch)
            }
        }
    }
}

configurations.named { it.startsWith("_internal-unified-test-platform") }.configureEach {
    // Handles the patching of the Android UTP (Unified Test Platform)
    dependencies {
        constraints {
            for (securityPatch in gradle.extra["securityPatches"] as List<String>) {
                add(name, securityPatch)
            }
        }
    }
}

java {
    toolchain {
        // ..etc
    }
}

android {
    // ..etc
}