Take care of ical4j dependencies (Security)

[rfc2822]

We should analyze the ical4j dependencies and then upgrade to the latest possible version (considering the Android SDK level) to get rid of the automatically generated Security issues.

For issues that don't go away with this, we can analyze them manually and explicitly fix/dismiss them.

[rfc2822]

@ArnyminerZ Can you please have a look which libraries this is about and which versions would fix it?

We can add the dependencies as a separate section in build.gradle, something like "// Bump dependencies from ical4j". Maybe we can also exclude some unneeded ones.

Then we will also have to see which dependencies are compatible with Android 7, which is the minimum SDK of DAVx5. I'd say we also increase the minimum SDK of ical4android to Android 7.

[ArnyminerZ]

We are using ical4j 3.2.19, which has the following dependencies. According to the Maven Repository, the dependencies that have updates available are:

• commons-codec » commons-codec
• commons-validator » commons-validator
• org.apache.commons » commons-lang3
• org.slf4j » slf4j-api

I'll try first excluding them all, and see if anything breaks. Otherwise I'll try updating them.

[rfc2822]

Hm the security issues persist… shouldn't they be closed automatically?

[ArnyminerZ]

shouldn't they be closed automatically?

I'm not sure, but none of them are related to the ones we have skipped, right? They are io.netty:netty-codec-http2, io.netty:netty-codec-http, org.bouncycastle:bcpkix-jdk18on, io.netty:netty-handler and com.fasterxml.woodstox:woodstox-core. All detected in settings.gradle, which doesn't import any plugins, but I don't know if its misdetected or if it's shown as settings.gradle but imported from build.gradle.kts. In any case, I'd say that all the dependencies reported are not shown in the dependency inspector of Android Studio, so I don't know what else to try 🤔

[rfc2822]

./gradlew --scan ical4android:assembleDebug generates https://scans.gradle.com/s/4z653tscbq57w/, which shows netty in the "build dependencies" and bouncycastle in the normal dependencies.

Maybe we can tweak the dependency generation to skip build dependencies (as they're not a security risk to users of the app – or did I forget something?).

---

Reason for our problem: https://community.gradle.org/github-actions/docs/dependency-submission-faq/#im-getting-many-false-positive-dependabot-alerts-for-dependencies-that-arent-used-by-my-project-why-are-these-dependencies-being-reported

[rfc2822]

I have set the dependency graph-generating task to compileDebugSources instead of assembleDebug, which reduces the security issues from 12 to 11. Unfortunately I didn't find a way to exclude build dependencies. So I'll just mark the dependencies as ignored manually, and if this gets too annoying, I think we have to disable the dependency graph submission again (or find a way to ignore build dependencies).