compose-ui 1.3.0 imports protobuf-javalite:3.19.4 which triggers a security alert (CVE-2022-3171) [255545055]

Fixed

Bug

Status Update

No update yet.

Description

lo...@gmail.com

created issue #1

Oct 25, 2022 03:56PM

compose-ui triggers a security alert as it imports inspector.jar which contains protobuf-javalite:3.19.4. Please upgrade the version of protobuf-javalite to at least 3.19.6.

Jetpack Compose version: 1.3.0

Jetpack Compose component(s) used: compose-ui

Steps to Reproduce or Code Sample to Reproduce:

Add compose-ui to a project

Stack trace (if applicable):

ui-1.3.0.aar: inspector.jar/META-INF/maven/com.google.protobuf/protobuf-javalite/pom.xml (pkg:maven/com.google.protobuf/protobuf-javalite@3.19.4, cpe:2.3:a:google:protobuf-java:3.19.4:*:*:*:*:*:*:*, cpe:2.3:a:google:protobuf-javalite:3.19.4:*:*:*:*:*:*:*) : CVE-2022-3171

Comments

cl...@google.com <cl...@google.com> Oct 26, 2022 11:42AM

Assigned to ni...@google.com.

ni...@google.com <ni...@google.com> #2Oct 26, 2022 02:32PM

Could you please provide the dependencies you're using for your project?

Compose does not use protos for any production use case, so we will need more information to determine which dependency is pulling in the protobuf dependency.

Message last modified on Oct 26, 2022 02:32PM

jl...@google.com <jl...@google.com> #3Oct 26, 2022 06:30PM

libs.versions.toml does have protobuf version as "3.19.4"

And protobufs are used in production code for app inspection jars like the layout inspector jar that comes with compose:ui:ui

ni...@google.com <ni...@google.com> #4Oct 26, 2022 07:52PM

Oh interesting, build.gradle doesn't declare this dependency though? Curious if androidx-main is the only place we'd to update.

ni...@google.com <ni...@google.com> #5Dec 15, 2022 08:57PM

Marked as fixed.

Compose UI 1.3.2 updates this dependency: https://developer.android.com/jetpack/androidx/releases/compose-ui#1.3.2

[Deleted User] <[Deleted User]> #6Dec 27, 2022 02:21PM

Thanks

Issue 255545055