fix(deps): update dependency com.hierynomus:sshj to v0.36.0 (#2670)

* fix(deps): update dependency com.hierynomus:sshj to v0.36.0

* refactor(build): drop unnecessary explicit dependency

* chore(idea): cruft

* fix(app): ensure SLF4J v1 is used

* fix(build): disable illegal BindsCanBeExtensionFunction lint

* chore: refresh Lint baselines

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Harsh Shandilya <me@msfjarvis.dev>

.idea/kotlinScripting.xml

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project version="4">
-  <component name="KotlinScriptingSettings">
-    <option name="suppressDefinitionsCheck" value="true" />
-  </component>
-</project>

app/build.gradle.kts

@@ -86,9 +86,8 @@ dependencies {
   implementation(libs.thirdparty.logcat)
   implementation(libs.thirdparty.modernAndroidPrefs)
   implementation(libs.thirdparty.plumber)
-  implementation(libs.thirdparty.sshj) { exclude(group = "org.bouncycastle") }
+  implementation(libs.thirdparty.sshj)
   implementation(libs.thirdparty.bouncycastle.bcprov)
-  implementation(libs.thirdparty.bouncycastle.bcpkix)
 
   if (snapshot.snapshot) {
     implementation(libs.thirdparty.whatthestack)
@@ -96,6 +95,10 @@ dependencies {
     debugImplementation(libs.thirdparty.whatthestack)
   }
 
+  implementation(libs.thirdparty.slf4j.api) {
+    because("SSHJ now uses SLF4J 2.0 which we don't want")
+  }
+
   implementation(libs.thirdparty.leakcanary.core)
   nonFreeImplementation(libs.thirdparty.nonfree.googlePlayAuthApiPhone)
   nonFreeImplementation(libs.thirdparty.nonfree.sentry)

app/lint-baseline.xml

@@ -14,16 +14,16 @@
 
     <issue
         id="InvalidPackage"
-        message="Invalid package reference in org.bouncycastle:bcpkix-jdk18on; not included in Android: `javax.naming.directory`. Referenced from `org.bouncycastle.cert.dane.fetcher.JndiDANEFetcherFactory`.">
+        message="Invalid package reference in library; not included in Android: `javax.naming.directory`. Referenced from `org.bouncycastle.cert.dane.fetcher.JndiDANEFetcherFactory`.">
         <location
-            file="$GRADLE_USER_HOME/caches/modules-2/files-2.1/org.bouncycastle/bcpkix-jdk18on/1.76/10c9cf5c1b4d64abeda28ee32fbade3b74373622/bcpkix-jdk18on-1.76.jar"/>
+            file="$GRADLE_USER_HOME/caches/modules-2/files-2.1/org.bouncycastle/bcpkix-jdk18on/1.75/5adfef8a71a0933454739264b56283cc73dd2383/bcpkix-jdk18on-1.75.jar"/>
     </issue>
 
     <issue
         id="InvalidPackage"
-        message="Invalid package reference in org.bouncycastle:bcpkix-jdk18on; not included in Android: `javax.naming`. Referenced from `org.bouncycastle.cert.dane.fetcher.JndiDANEFetcherFactory.1`.">
+        message="Invalid package reference in library; not included in Android: `javax.naming`. Referenced from `org.bouncycastle.cert.dane.fetcher.JndiDANEFetcherFactory.1`.">
         <location
-            file="$GRADLE_USER_HOME/caches/modules-2/files-2.1/org.bouncycastle/bcpkix-jdk18on/1.76/10c9cf5c1b4d64abeda28ee32fbade3b74373622/bcpkix-jdk18on-1.76.jar"/>
+            file="$GRADLE_USER_HOME/caches/modules-2/files-2.1/org.bouncycastle/bcpkix-jdk18on/1.75/5adfef8a71a0933454739264b56283cc73dd2383/bcpkix-jdk18on-1.75.jar"/>
     </issue>
 
     <issue

app/proguard-rules.pro

@@ -1,7 +1,6 @@
 -keepattributes SourceFile,LineNumberTable,EnclosingMethod,InnerClasses
 -dontobfuscate
 
--keep class com.jcraft.jsch.**
 -keep class org.eclipse.jgit.internal.JGitText { *; }
 -keep class org.bouncycastle.jcajce.provider.** { *; }
 -keep class !org.bouncycastle.jce.provider.X509LDAPCertStoreSpi,org.bouncycastle.jce.provider.** { *; }

build-logic/src/main/kotlin/app/passwordstore/gradle/LintConfig.kt

@@ -38,6 +38,9 @@ object LintConfig {
       disable += "FragmentFieldInjection"
       // Too pedantic
       disable += "ArgInFormattedQuantityStringRes"
+      // Illegal in Dagger v2.48, can be removed after
+      // https://github.com/slackhq/slack-lints/pull/133 is released.
+      disable += "BindsCanBeExtensionFunction"
     }
     baseline = project.file("lint-baseline.xml")
   }

gradle/libs.versions.toml

@@ -72,7 +72,6 @@ testing-robolectric = "org.robolectric:robolectric:4.10.3"
 testing-sharedPrefsMock = "com.github.android-password-store:shared-preferences-fake:2.0.0"
 testing-testparameterinjector = "com.google.testparameterinjector:test-parameter-injector:1.12"
 testing-turbine = "app.cash.turbine:turbine:1.0.0"
-thirdparty-bouncycastle-bcpkix = { module = "org.bouncycastle:bcpkix-jdk18on", version.ref = "bouncycastle" }
 thirdparty-bouncycastle-bcprov = { module = "org.bouncycastle:bcprov-jdk18on", version.ref = "bouncycastle" }
 thirdparty-commons_codec = "commons-codec:commons-codec:1.14"
 thirdparty-compose-lints = "com.slack.lint.compose:compose-lint-checks:1.2.0"
@@ -91,8 +90,8 @@ thirdparty-nonfree-sentry = "io.sentry:sentry-android:6.28.0"
 thirdparty-pgpainless = "org.pgpainless:pgpainless-core:1.6.2"
 thirdparty-plumber = { module = "com.squareup.leakcanary:plumber-android-startup", version.ref = "leakcanary" }
 thirdparty-slack-lints = "com.slack.lint:slack-lint-checks:0.4.0"
-# TODO: Remove the explicit bcpkix dependency when upgrading this to a BC 1.71 compatible version
-thirdparty-sshj = "com.hierynomus:sshj:0.35.0"
+thirdparty-slf4j-api = { module = "org.slf4j:slf4j-api", version = { strictly = "[1.7, 1.8[", prefer = "1.7.36" } }
+thirdparty-sshj = "com.hierynomus:sshj:0.36.0"
 thirdparty-uri = "com.eygraber:uri-kmp:0.0.14"
 thirdparty-whatthestack = "com.github.haroldadmin:WhatTheStack:1.0.0-alpha04"
 

ssh/build.gradle.kts

@@ -19,7 +19,7 @@ dependencies {
   implementation(libs.androidx.core.ktx)
   implementation(libs.kotlinx.coroutines.android)
   implementation(libs.kotlinx.coroutines.core)
-  implementation(libs.thirdparty.sshj) { exclude(group = "org.bouncycastle") }
+  implementation(libs.thirdparty.sshj)
   implementation(libs.thirdparty.logcat)
   implementation(libs.androidx.security)
   implementation(libs.thirdparty.eddsa)

ssh/lint-baseline.xml

@@ -1,4 +1,25 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <issues format="6" by="lint 8.3.0-alpha01" type="baseline" client="gradle" dependencies="false" name="AGP (8.3.0-alpha01)" variant="all" version="8.3.0-alpha01">
 
+    <issue
+        id="InvalidPackage"
+        message="Invalid package reference in library; not included in Android: `javax.naming.directory`. Referenced from `org.bouncycastle.cert.dane.fetcher.JndiDANEFetcherFactory`.">
+        <location
+            file="$GRADLE_USER_HOME/caches/modules-2/files-2.1/org.bouncycastle/bcpkix-jdk18on/1.75/5adfef8a71a0933454739264b56283cc73dd2383/bcpkix-jdk18on-1.75.jar"/>
+    </issue>
+
+    <issue
+        id="InvalidPackage"
+        message="Invalid package reference in library; not included in Android: `javax.naming`. Referenced from `org.bouncycastle.cert.dane.fetcher.JndiDANEFetcherFactory.1`.">
+        <location
+            file="$GRADLE_USER_HOME/caches/modules-2/files-2.1/org.bouncycastle/bcpkix-jdk18on/1.75/5adfef8a71a0933454739264b56283cc73dd2383/bcpkix-jdk18on-1.75.jar"/>
+    </issue>
+
+    <issue
+        id="TrustAllX509TrustManager"
+        message="`checkServerTrusted` is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers">
+        <location
+            file="$GRADLE_USER_HOME/caches/modules-2/files-2.1/org.bouncycastle/bcpkix-jdk18on/1.75/5adfef8a71a0933454739264b56283cc73dd2383/bcpkix-jdk18on-1.75.jar"/>
+    </issue>
+
 </issues>