Fix/suppress dependency audit issues

6 files changed, 21 insertions, 5 deletions

diff --git a/android/app/build.gradle.kts b/android/app/build.gradle.kts
index 1a17abf92c..451d6f2e9b 100644
--- a/android/app/build.gradle.kts
+++ b/android/app/build.gradle.kts
@@ -186,7 +186,6 @@ dependencies {
     debugImplementation(Dependencies.AndroidX.fragmentTestning)
     androidTestImplementation(Dependencies.AndroidX.espressoContrib)
     androidTestImplementation(Dependencies.AndroidX.espressoCore)
-    androidTestImplementation(Dependencies.AndroidX.junit)
     androidTestImplementation(Dependencies.Koin.test)
     androidTestImplementation(Dependencies.Kotlin.test)
     androidTestImplementation(Dependencies.MockK.android)
diff --git a/android/app/src/androidTest/kotlin/net/mullvad/mullvadvpn/ui/fragments/SplitTunnelingFragmentTest.kt b/android/app/src/androidTest/kotlin/net/mullvad/mullvadvpn/ui/fragments/SplitTunnelingFragmentTest.kt
index 8bd3cc70b8..a241593c00 100644
--- a/android/app/src/androidTest/kotlin/net/mullvad/mullvadvpn/ui/fragments/SplitTunnelingFragmentTest.kt
+++ b/android/app/src/androidTest/kotlin/net/mullvad/mullvadvpn/ui/fragments/SplitTunnelingFragmentTest.kt
@@ -8,8 +8,8 @@ import androidx.test.espresso.assertion.ViewAssertions.matches
 import androidx.test.espresso.matcher.ViewMatchers.withContentDescription
 import androidx.test.espresso.matcher.ViewMatchers.withId
 import androidx.test.espresso.matcher.ViewMatchers.withText
-import androidx.test.ext.junit.runners.AndroidJUnit4
 import androidx.test.filters.LargeTest
+import androidx.test.runner.AndroidJUnit4
 import io.mockk.Runs
 import io.mockk.coEvery
 import io.mockk.coVerifyAll
diff --git a/android/buildSrc/src/main/kotlin/Dependencies.kt b/android/buildSrc/src/main/kotlin/Dependencies.kt
index 18cae6a638..6d019cadf9 100644
--- a/android/buildSrc/src/main/kotlin/Dependencies.kt
+++ b/android/buildSrc/src/main/kotlin/Dependencies.kt
@@ -23,7 +23,6 @@ object Dependencies {
             "androidx.lifecycle:lifecycle-viewmodel-ktx:${Versions.AndroidX.lifecycle}"
         const val recyclerview =
             "androidx.recyclerview:recyclerview:${Versions.AndroidX.recyclerview}"
-        const val junit = "androidx.test.ext:junit:${Versions.AndroidX.junit}"
         const val espressoCore =
             "androidx.test.espresso:espresso-core:${Versions.AndroidX.espresso}"
         const val espressoContrib =
diff --git a/android/buildSrc/src/main/kotlin/Versions.kt b/android/buildSrc/src/main/kotlin/Versions.kt
index ec6e9ddfa1..4101a4f572 100644
--- a/android/buildSrc/src/main/kotlin/Versions.kt
+++ b/android/buildSrc/src/main/kotlin/Versions.kt
@@ -1,7 +1,7 @@
 object Versions {
     const val commonsValidator = "1.7"
     const val jodaTime = "2.10.14"
-    const val junit = "4.13"
+    const val junit = "4.13.2"
     const val jvmTarget = "1.8"
     const val koin = "2.2.3"
     const val kotlin = "1.5.31"
@@ -27,7 +27,7 @@ object Versions {
         const val lifecycle = "2.4.1"
         const val fragment = "1.3.2"
         const val recyclerview = "1.2.1"
-        const val junit = "1.1.3"
+        const val junit = "1.1.4"
         const val test = "1.4.0"
         const val uiautomator = "2.2.0"
     }
diff --git a/android/e2e/build.gradle.kts b/android/e2e/build.gradle.kts
index 07e80769db..4804dfba70 100644
--- a/android/e2e/build.gradle.kts
+++ b/android/e2e/build.gradle.kts
@@ -100,6 +100,7 @@ configure<org.owasp.dependencycheck.gradle.extension.DependencyCheckExtension> {
     // path. The alternative would be to suppress specific CVEs, however that could potentially
     // result in suppressed CVEs in project compilation class path.
     skipConfigurations = listOf("lintClassPath")
+    suppressionFile = "$projectDir/e2e-suppression.xml"
 }
 
 dependencies {
@@ -109,5 +110,6 @@ dependencies {
     implementation(Dependencies.AndroidX.testRules)
     implementation(Dependencies.AndroidX.testUiAutomator)
     implementation(Dependencies.androidVolley)
+    implementation(Dependencies.junit)
     implementation(Dependencies.Kotlin.stdlib)
 }
diff --git a/android/e2e/e2e-suppression.xml b/android/e2e/e2e-suppression.xml
new file mode 100644
index 0000000000..a3be14e7b4
--- /dev/null
+++ b/android/e2e/e2e-suppression.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[
+        This CVE only affect Multiplatform Gradle Projects, which this project is not.
+        ]]></notes>
+        <cve>CVE-2022-24329</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        This CVE is a false positive as the description refers to a GO library (github.com/containers/storage).
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/androidx\.test\.services/storage@.*$</packageUrl>
+        <cve>CVE-2021-20291</cve>
+    </suppress>
+</suppressions>