Status Update
No update yet.
Comments
rg...@gmail.com
This is a bug report based on the result of the Veracode scan. This was identified as a vulnerability in the Veracode scan.
Thanks!
ja...@google.com
Thank you for reporting this issue. We just need a few things for us to further investigate this issue:
Please fill out each question and comment, thank you.
-
Have you observed this bug on Pixel devices as well?
-
Android Build Version (go to Settings > About Device > Build Number (hold down to copy))
-
Android Device Model:
-
Android app name, URL, and version if an app related issue:
-
If possible, capture the issue in a screen recording (desktop and/or phone capture).
-
Upload the full bug report file after the issue has occurred. Steps followed here:
https://developer.android.com/studio/debug/bug-report -
Please provide a simple sample project (exported zip Android Studio file) that reproduces the issue. This gives us the closest test environment to yours and allows us to inspect the code/structure used which will help analyze your issue.
-
Steps to reproduce issue specific to the provided sample project: [Be as specific as possible]
- 1
- 2
- 3
-
Expected Results:
-
Observed Results:
Note: Please upload to google drive and share the folder to
The more information we have, the more accurately our product and engineering team can solve the issue. Thank you so much for your time and for your cooperation.
rg...@gmail.com
This is a vulnerability reported by Veracode when scanning the app, not really a bug in that sense (sorry for the miscommunication about this earlier).
So this is not something seen on a device but reported in a security scan of our app by Veracode.
ja...@google.com
Thank you for the update.
- Would you consider this a feature request?
rg...@gmail.com
Not really because there is no new addition that I'm requesting, but it is not a bug in the strictest sense because this is a case of improper code that got flagged by our security scan. It should be a very simple fix to close the resource correctly in the finally block if this resource is not closed or closed in the else block.
Description
No particular steps to reproduce. We have the dependency "com.android.support:multidex:1.0.3" in our app's build.gradle. When running the Veracode scan on our app, the following error was highlighted by Veracode:
Error highligheted is on line 100 of MultiDexExtractor.java
Improper Resource Shutdown or Release (CWE ID 404) Description The application fails to release (or incorrectly releases) a system resource before it is made available for re-use. This condition often occurs with resources such as database connections or file handles. Most unreleased resource issues result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, it may be possible to launch a denial of service attack by depleting the resource pool.
Recommendations When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation. Ensure that all code paths properly release resources.