Veracode scan raises couple of flaws. [159160314]

Fixed

Bug

Status Update

No update yet.

Description

ra...@gmail.com

created issue #1

Jun 17, 2020 08:22AM

Artifact used (ex. androidx.appcompat:appcompat:1.0.0-alpha1):
Version used:
Theme used:
Devices/Android versions reproduced on:

Following two flaws(with line number)/complaining by veracode

https://android.googlesource.com/platform/frameworks/data-binding/+/master/extensions/baseAdapters/src/main/java/android/databinding/adapters/TabHostBindingAdapter.java#4

Attack Vector: span.neq

Number of Modules Affected: 1

Description: Using '!=' to compare two strings for inequality actually compares the object references rather than their values. It is unlikely that this reflects the intended application logic.

Remediation: Use the equals() method to compare strings, not the '!=' operator.

https://android.googlesource.com/platform/frameworks/support/+/refs/heads/androidx-recyclerview-release/biometric/src/main/java/androidx/biometric/DeviceCredentialHandlerActivity.java#37

Attack Vector: DeviceCredentialHandlerActivity

Number of Modules Affected: 1

Description: The component DeviceCredentialHandlerActivity as configured in AndroidManifest.xml is exported with no permission(s) set which increases the application's attack surface and possibly allows for injection or stealing of app data.

Remediation: The component's exported attribute in AndroidManifest.xml should be set explicitly to false, if possible. If it must be exported, then permissions should be used to ensure the app is used in the intended manner. This permission may be specific to the attribute or applied globally to the manifest's application element.

Comments

ow...@google.com <ow...@google.com> #2Jun 17, 2020 03:24PM

Assigned to mo...@google.com.

DeviceCredentialHandlerActivity has been removed in the latest version of biometric, to be released June 24 2020, as part of a refactor.

There is a mismatch between TabHostBindingAdapter.setCurrentTabTag using != and TabHost.setCurrentTabByTag using .equals().

ra...@gmail.com <ra...@gmail.com> #3Jun 18, 2020 03:30AM

Thanks for the timely response, could you please let me know the 2nd point
There is a mismatch between TabHostBindingAdapter.setCurrentTabTag using != and TabHost.setCurrentTabByTag using .equals().

not getting! clear

mo...@google.com <mo...@google.com> #4Jun 19, 2020 05:31PM

It found a bug in the binding adapter. I plan on making a change to fix it.

ra...@gmail.com <ra...@gmail.com> #5Jun 20, 2020 12:54PM

thanks a ton. and is there any time line for the fix release i can get?

mo...@google.com <mo...@google.com> #6Jun 23, 2020 06:50PM

I don't have an answer for when you'll see the fix. But you can implement a fix for yourself by defining the binding adapter in your own code and it will take precedence over the default binding adapter pulled from the data binding library.

mo...@google.com <mo...@google.com> #7Jun 29, 2020 08:38PM

Reassigned to cu...@google.com.

I've completed the TabHostBindingAdapter.java work. Reassigning to Curtis to handle the DeviceCredentialHandlerActivity work.

cu...@google.com <cu...@google.com> #8Jul 7, 2020 10:03PM

Marked as fixed.

Per comment #2, DeviceCredentialHandlerActivity is removed as of androidx.biometric 1.1.0-alpha01. Marking this as resolved.