CVE-2022-24329 It was not possible to lock dependencies in Multiplatform Gradle Projects in the Kotlin SDK before 1.6.0.

However, it was possible to lock dependencies for Android and iOS Projects. With the release of Kotlin 1.6.0, it is now also possible to lock dependencies for the new Universal Windows Platform Project. What’s New in Kotlin 1.6.0? When it comes to lock dependency checking in Gradle, there are two main approaches that you can take to accomplish this task: Define a dependency on a specific version of the library.

Use a lock dependency. The main advantage of the first approach is that it is very flexible. You can update the version of any specific dependency at any time without affecting any other dependency. You can also introduce a dependency on a specific version of a library in other Android Studio projects. The main disadvantage of this approach is that it is not possible to introduce a dependency on a specific version of a library in a Gradle project. With the release of Kotlin 1.6.0, it is now also possible to lock dependencies for the new Universal Windows Platform Project.

What’s a lock dependency?

A lock dependency is a way to control the version of an Android library that you depend on. In order to use this feature, you must specify the version of the library in your build script. This means that all dependencies that are added after this point will only be able to use a specific version of a library. Another option is to define a lock dependency on the latest supported release of a library (2.1 or higher). When you do this, it doesn’t allow any other project in your build script to use an older version of the library.

What is a Lock Dependency?

A lock dependency is a dependency that only applies to certain projects and not the others. Let’s go over the steps for adding a lock dependency in Kotlin 1.6.0:
1. Add the library you want to use as your lock dependency as a dependency for your project in Gradle.
2. Write an annotation to define this specific dependency of your project alone on top of any other library.
3. Declare that you have created a lock version by using the @Lock annotation on the root dependencies of your app module or one of its sub-projects, or use it on individual files inside those sub-projects (you can also just put it on the main source file).
4. When you need to update your application later, use the `updateLock` task to update all locks at once by declaring it in your build script: ```groovy updateLock() { // ... } ```
5. The `updateLock` task is covered by IntelliJ IDEA’s auto-updater tooling, so no manual intervention is required when updating locks later on!
6. To remove a lock, use: ```groovy updateUnlock() { // ... }```

Introduction to Kotlin 1.6 .0

The new Kotlin 1.6.0 release introduces a bunch of new features and bug fixes to the already powerful Kotlin programming language. One of the most exciting new features is that it is now possible to mark dependencies as lockable in Android Studio projects. What’s New in Kotlin 1.6.0?

Installing Kotlin 1.6.0 in Android Studio

In order to install Kotlin 1.6.0 in Android Studio, you need to update the version of Gradle first. To do this, click on "Tools > Android > Gradle Update..." and then select "1.6". Now you can use the new lock dependency option in order to ensure that your dependencies are locked by project.

Timeline

Published on: 02/25/2022 15:15:00 UTC
Last modified on: 07/25/2022 18:21:00 UTC

References

• https://blog.jetbrains.com/blog/2022/02/08/jetbrains-security-bulletin-q4-2021/
• https://blog.jetbrains.com
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24329