2026-06-10-bouncycastle-buildscript-cve-bump

Symptom

Three open Dependabot alerts against bcprov-jdk18on and bcpkix-jdk18on (GHSA-p93r-85wp-75v3 high, GHSA-c3fc-8qff-9hwx medium, GHSA-wg6q-6289-32hp medium) — all patched in 1.84. Kraken’s nightly scan classified them as “shippable runtime,” but the previous lessons entry (2026-06-08) had already noted that BC appears in the Gradle build classpath, not the server runtime.

Root cause

Android Gradle Plugin 9.2.1 → apkzlib → apksig → bcpkix-jdk18on:1.79 (and transitively bcprov-jdk18on:1.79). These jars are used during Gradle builds to sign and package Android APKs. They are not on the deployed server’s runtime classpath and are not shipped to users. No bcprov/bcpkix class appears in any produced server jar.

The bc-jdk18on-bom platform added to server/build.gradle.kts constrains project-level dependency configs but does not reach the Gradle build classpath — that is resolved independently through the buildscript {} mechanism.

Fix

build.gradle.kts: Added a buildscript { configurations.all { resolutionStrategy.force(...) } } block that forces bcprov-jdk18on, bcpkix-jdk18on, and bcutil-jdk18on to 1.84 in the Gradle build classpath. The buildEnvironment task now shows 1.79 -> 1.84 for all three.
gradle/libs.versions.toml: Added bouncycastle = "1.84" version pin and bouncycastle-bom library entry as a forward guard for project-level configs (no effect today since BC is not currently resolved in project configurations, but prevents a silent regression if a future dependency adds it).
server/build.gradle.kts: Applied bc-jdk18on-bom as a platform in jvmMain dependencies, same pattern as netty-bom / jackson-bom.

Prevention

Build-classpath CVEs (those from ./gradlew buildEnvironment, not ./gradlew dependencies) need a buildscript { configurations.all { resolutionStrategy.force(...) } } fix, not a project.dependencies.platform(...) one. The two are independent resolution graphs.
The Kotlin DSL form inside buildscript {} is configurations.all { resolutionStrategy.force("g:a:v") }. configurations.classpath.resolutionStrategy { force(...) } does not compile.
When Kraken files a BC alert as “shippable runtime,” cross-check with ./gradlew :<module>:dependencies --configuration jvmRuntimeClasspath. If BC is absent there but present in buildEnvironment, it’s a build-classpath issue (fix in buildscript, not runtime deps).
A JVM test guard is not practical for build-classpath deps — the classes are not on the server test classpath. Verify the fix by running ./gradlew buildEnvironment and checking for 1.79 -> 1.84.