Symptom

Kraken nightly scan flagged org.jdom:jdom2:2.0.6 as a high-severity CVE (GHSA-2363-cqg2-863c, patched in 2.0.6.1). GitHub’s dependency graph confirmed the vulnerable version in use. Initial classification marked it as “shippable runtime”; investigation showed it is build-classpath-only.

Root cause

com.android.tools.build.jetifier:jetifier-processor:1.0.0-beta10 (pulled transitively by AGP for Android Jetifier support) depends on jdom2:2.0.6. This lands in the Gradle buildscript classpath, not the server runtime classpath — it is never shipped in the deployed JAR or Debian package. ./gradlew :server:dependencies reported nothing for jdom2; the alert is only visible via ./gradlew buildEnvironment.

Fix

• Added jdom2 = "2.0.6.1" to gradle/libs.versions.toml with a comment explaining the buildscript-only scope and the GHSA reference.
• Added "org.jdom:jdom2:2.0.6.1" to the buildscript { configurations.all { resolutionStrategy.force(...) } } block in build.gradle.kts, alongside the existing Bouncy Castle and jose4j pins that follow the same pattern.

Prevention

• Build-classpath CVEs do not appear in ./gradlew :module:dependencies output. Use ./gradlew buildEnvironment to inspect the Gradle build toolchain classpath.
• The DependencyVersionGuardTest pattern does not extend to buildscript classpaths (different ClassLoader); no automated regression test is feasible for this class of vulnerability. The libs.versions.toml entry and the buildscript force together serve as the guard.
• Pattern: AGP pulls jetifier-processor, which drags in old jdom2. Check buildEnvironment whenever AGP version is bumped.