RUN-3894: Update Bouncy Castle to 1.79 for CVE-2025-8916

[fdevans]

@ -0,0 +1,68 @@

Update Bouncy Castle to 1.79 for CVE-2025-8916

Summary

Upgrades Bouncy Castle dependencies from 1.69 to 1.79 to address security vulnerability CVE-2025-8916 and align with upcoming Grails 7 project standards.

Motivation

• Security: Mitigates CVE-2025-8916 found in org.bouncycastle:bcprov-jdk15on:1.69 (transitive dependency via redline-rpm)
• Alignment: Version 1.79 aligns with Grails 7 project dependency requirements
• Maintainability: Follows established pattern for dependency version overrides (similar to commons-compress and commons-lang3)

Changes

• Added bouncyCastleVersion=1.79 to gradle.properties files (buildSrc and root)
• Configured Gradle dependency resolution to force Bouncy Castle 1.79
• Implemented dependency substitution to replace jdk15on variants with jdk18on variants
  • bcpg-jdk15on:1.69 → bcpg-jdk18on:1.79
  • bcprov-jdk15on:1.69 → bcprov-jdk18on:1.79

Technical Details

Vulnerability Path

buildSrc › org.redline-rpm:redline:1.2.10 › 
  org.bouncycastle:bcpg-jdk15on:1.69 › 
    org.bouncycastle:bcprov-jdk15on:1.69 (VULNERABLE)

Resolution Strategy

Uses Gradle's resolutionStrategy with:

1. Force directives: Enforces version 1.79 for Bouncy Castle artifacts
2. Dependency substitution: Replaces jdk15on variants with jdk18on variants (required as 1.79 only available in jdk18on)

Why jdk18on?

• Version 1.79 is only available in the jdk18on variant (supports JDK 1.8+)
• The jdk15on variant maxes out at version 1.70
• jdk18on provides identical API surface with no breaking changes
• Binary compatible with existing code

Testing

• ✅ BuildSrc compiles successfully with BC 1.79
• ✅ Dependency tree confirms upgrade: bcpg-jdk15on:1.69 -> bcpg-jdk18on:1.79
• ✅ All transitive dependencies properly resolved (bcprov-jdk18on, bcutil-jdk18on)

Verification

To verify the fix:

cd buildSrc
../gradlew dependencies --configuration runtimeClasspath | grep bouncycastle

Expected output:

\--- org.bouncycastle:bcpg-jdk15on:1.69 -> org.bouncycastle:bcpg-jdk18on:1.79
     +--- org.bouncycastle:bcprov-jdk18on:1.79
     \--- org.bouncycastle:bcutil-jdk18on:1.79

Context

• Redline-rpm (1.2.10) is used for RPM package creation via the nebula.ospackage plugin
• Bouncy Castle provides PGP/GPG signing functionality for RPM packages
• The library has been inactive since 2021 with no updates planned
• Dependency override is the recommended mitigation strategy

Risk Assessment

Low Risk - Version 1.79 is a minor update with bug fixes and security patches, maintaining full backward compatibility with the OpenPGP APIs used by redline-rpm.

Related Issues

• Closes: [Issue/Ticket Number]
• Related to Grails 7 upgrade initiative

[Copilot]

Pull request overview

This PR upgrades Bouncy Castle dependencies from version 1.69 to 1.79 to address a reported security vulnerability (CVE-2025-8916) and align with Grails 7 standards. The upgrade also transitions from the jdk15on variant to the jdk18on variant, as version 1.79 is only available in the latter.

Changes:

• Added bouncyCastleVersion=1.79 property to both root and buildSrc gradle.properties files
• Configured Gradle resolution strategy to force Bouncy Castle 1.79 and substitute jdk15on variants with jdk18on variants
• Updated buildSrc/build.gradle with force directives and dependency substitutions to resolve the transitive Bouncy Castle dependency from redline-rpm

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
gradle.properties	Added bouncyCastleVersion property set to 1.79 for dependency resolution
buildSrc/gradle.properties	Added bouncyCastleVersion property set to 1.79 for buildSrc dependency resolution
buildSrc/build.gradle	Added resolution strategy to force Bouncy Castle 1.79 and substitute jdk15on with jdk18on variants

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.