[fix] SDKS-5037 - bump bcpkix-jdk18on to 1.84 to address CVE-2026-5588

[rodrigoareis]

JIRA Ticket

SDKS-5037 Vulnerability in android SDK 4.8.3 bcpkix-jdk18on version 1.81

Description

CVE-2026-5588 affects org.bouncycastle:bcpkix-jdk18on at versions < 1.84.
The catalog pin in gradle/libs.versions.toml is the single source of truth
for this dependency (no transitive consumer drags in a different version
and no resolutionStrategy.force entry exists for it), so a one-line bump
in the version catalog is sufficient.

The only production consumer of bcpkix-jdk18on in this repo is
mfa/binding's AppPinAuthenticator (X.509 v1 certificate construction
for the APPLICATION_PIN device-binding flow). The Bouncy Castle PKIX
API surface used there has been stable across the 1.7x-1.8x line and
no source changes are required.

Verified:

• :mfa:binding:testDebugUnitTestCoverage (201 passing)
• :journey:testDebugUnitTestCoverage (69 passing)
• full --rerun-tasks testDebugUnitTestCoverage (BUILD SUCCESSFUL,
  940 actionable tasks)
• :mfa:binding:dependencies shows bcpkix-jdk18on:1.84 resolved on every
  configuration that references it.

Summary by CodeRabbit

• Bug Fixes

  • Applied a security-related dependency update to improve safety and stability.

• Chores

  • Updated dependency versions in build configuration.

• Documentation

  • Added a new 2.0.1 changelog entry reflecting the dependency update.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds .kotlin and .polaris/ to .gitignore, bumps bcpkix-jdk18on in gradle/libs.versions.toml to 1.84, and adds a 2.0.1 changelog entry documenting the upgrade and CVE reference.

Changes

Build Configuration Maintenance

Layer / File(s)	Summary
Build environment and dependency updates .gitignore, gradle/libs.versions.toml, CHANGELOG.md	Added ignore patterns for .kotlin and .polaris/; updated bcpkix-jdk18on to 1.84 in the Gradle version catalog; added 2.0.1 changelog entry noting the upgrade and CVE reference.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• witrisna

Poem

🐰 A kotlin shadow fades away,
Polaris too shall not stay,
Bouncy Castle climbs to one-eight-four,
A changelog notes the CVE score,
Small hops keep the build in sway! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: bumping bcpkix-jdk18on to 1.84 to address CVE-2026-5588, which aligns with the changeset's primary objective.
Description check	✅ Passed	The description includes both required sections (JIRA Ticket and Description) with comprehensive information about the vulnerability, rationale, affected components, and verification results.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch SDKS-5037

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.65%. Comparing base (6f66df9) to head (272d758).

Additional details and impacted files

@@              Coverage Diff              @@
##             develop     #201      +/-   ##
=============================================
- Coverage      44.46%   42.65%   -1.82%     
+ Complexity      1296     1287       -9     
=============================================
  Files            312      312              
  Lines           9447     9447              
  Branches        1403     1403              
=============================================
- Hits            4201     4030     -171     
- Misses          4649     4862     +213     
+ Partials         597      555      -42     

Flag	Coverage Δ
integration-tests	25.08% <ø> (-3.26%)	⬇️
unit-tests	25.91% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@CHANGELOG.md`:
- Line 3: Change the subheading level under the release header: replace the
incorrect "#### Fixed" heading with "### Fixed" so it correctly nests under the
"## [2.0.1]" release header and resolves the MD001 markdownlint error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 181e7a7a-8763-49e8-bc8b-42d4dcde9024

📥 Commits

Reviewing files that changed from the base of the PR and between d9f0ad9 and 272d758.

📒 Files selected for processing (1)

• CHANGELOG.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix heading-level increment for markdownlint compliance.

At Line 3, #### Fixed skips a level under ## [2.0.1] and triggers MD001. Use ### Fixed instead.

Suggested patch

-#### Fixed
+### Fixed

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	#### Fixed
	### Fixed

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 3-3: Heading levels should only increment by one level at a time
Expected: h3; Actual: h4

(MD001, heading-increment)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG.md` at line 3, Change the subheading level under the release
header: replace the incorrect "#### Fixed" heading with "### Fixed" so it
correctly nests under the "## [2.0.1]" release header and resolves the MD001
markdownlint error.

[spetrov]

LGTM!