AGP 8.3.0-alpha02 depends on libraries with known security vunelaribilities [299134781]

Fixed

Bug

Status Update

No update yet.

Description

ls...@gmail.com

created issue #1

Sep 6, 2023 12:32AM

Android Gradle Plugin 8.3.0-alpha02 depends on outdated versions of libraries with known security vulnerabilities.

Vulnerable dependencies from the GitHub Dependabot alerts report:

io.grpc:grpc-protobuf:1.45.1

CVE-2023-1428 GHSA-6628-q6j9-w8vg gRPC Reachable Assertion issue
CVE-2023-32731 GHSA-cfgp-2977-2fmm Connection confusion in gRPC
CVE-2023-32732 GHSA-9hxf-ppjv-w6rq gRPC connection termination issue

com.google.protobuf:protobuf-java:3.19.3

CVE-2022-3509 GHSA-g5ww-5jh7-63cx Protobuf Java vulnerable to Uncontrolled Resource Consumption
CVE-2022-3510 GHSA-4gg5-vx3j-xwc7 Protobuf Java vulnerable to Uncontrolled Resource Consumption
CVE-2022-3171 GHSA-h4h5-3hr4-j3g2 protobuf-java has a potential Denial of Service issue

org.bouncycastle:bcprov-jdk15on:1.67

CVE-2023-33201 GHSA-hr8g-6v94-x4m9 Bouncy Castle For Java LDAP injection vulnerability

io.netty:netty-handler:4.1.72.Final

CVE-2023-34462 GHSA-6mjq-h674-j845 netty-handler SniHandler 16MB allocation

io.netty:netty-codec-http2:4.1.72.Final

CVE-2022-24823 GHSA-269q-hmxg-m83q Local Information Disclosure Vulnerability in io.netty:netty-codec-http

com.google.guava:guava:31.1-jre

CVE-2023-2976 GHSA-7g45-4rm6-3mm3 Guava vulnerable to insecure use of temporary directory
CVE-2020-8908 GHSA-5mg8-w23w-74h3 Information Disclosure in Guava

org.bitbucket.b_c:jose4j:0.7.0

GHSA-jgvc-jfgh-rjvv Chosen Ciphertext Attack in Jose4j

xerces:xercesImpl:2.12.0

CVE-2022-23437 GHSA-h65f-jvqw-m9fj Infinite Loop in Apache Xerces Java

commons-io:commons-io:2.4

CVE-2021-29425 GHSA-gwrp-pvrq-jmwv Path Traversal and Improper Input Validation in Apache Commons IO

buildEnvironment of the new Android project:

$ ./gradlew buildEnvironment

> Task :buildEnvironment

------------------------------------------------------------
Root project 'test-project'
------------------------------------------------------------

classpath
+--- com.android.application:com.android.application.gradle.plugin:8.3.0-alpha02
|    \--- com.android.tools.build:gradle:8.3.0-alpha02
|         +--- com.android.tools.build:gradle-settings-api:8.3.0-alpha02
|         |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0
|         |         +--- org.jetbrains.kotlin:kotlin-stdlib:1.9.0
|         |         |    +--- org.jetbrains.kotlin:kotlin-stdlib-common:1.9.0
|         |         |    \--- org.jetbrains:annotations:13.0
|         |         \--- org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.9.0
|         |              \--- org.jetbrains.kotlin:kotlin-stdlib:1.9.0 (*)
|         +--- com.android.tools:sdk-common:31.3.0-alpha02
|         |    +--- com.android.tools.analytics-library:shared:31.3.0-alpha02
|         |    |    +--- com.android.tools.analytics-library:protos:31.3.0-alpha02
|         |    |    |    \--- com.google.protobuf:protobuf-java:3.19.3
|         |    |    +--- com.android.tools:annotations:31.3.0-alpha02
|         |    |    +--- com.android.tools:common:31.3.0-alpha02
|         |    |    |    +--- com.android.tools:annotations:31.3.0-alpha02
|         |    |    |    +--- com.google.guava:guava:31.1-jre
|         |    |    |    |    +--- com.google.guava:failureaccess:1.0.1
|         |    |    |    |    +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
|         |    |    |    |    +--- com.google.code.findbugs:jsr305:3.0.2
|         |    |    |    |    +--- org.checkerframework:checker-qual:3.12.0
|         |    |    |    |    +--- com.google.errorprone:error_prone_annotations:2.11.0
|         |    |    |    |    \--- com.google.j2objc:j2objc-annotations:1.3
|         |    |    |    +--- net.java.dev.jna:jna-platform:5.6.0
|         |    |    |    |    \--- net.java.dev.jna:jna:5.6.0
|         |    |    |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         |    |    +--- com.google.code.gson:gson:2.10
|         |    |    +--- com.google.guava:guava:31.1-jre (*)
|         |    |    +--- net.java.dev.jna:jna-platform:5.6.0 (*)
|         |    |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         |    +--- com.android.tools.build:aapt2-proto:8.3.0-alpha02-10154469
|         |    |    \--- com.google.protobuf:protobuf-java:3.19.3
|         |    +--- com.android.tools:common:31.3.0-alpha02 (*)
|         |    +--- com.android.tools.ddms:ddmlib:31.3.0-alpha02
|         |    |    +--- com.android.tools:common:31.3.0-alpha02 (*)
|         |    |    +--- com.google.protobuf:protobuf-java:3.19.3
|         |    |    +--- net.sf.kxml:kxml2:2.3.0
|         |    |    \--- org.jetbrains:annotations:13.0
|         |    +--- com.android.tools.layoutlib:layoutlib-api:31.3.0-alpha02
|         |    |    +--- com.android.tools:annotations:31.3.0-alpha02
|         |    |    +--- com.android.tools:common:31.3.0-alpha02 (*)
|         |    |    +--- net.sf.kxml:kxml2:2.3.0
|         |    |    \--- org.jetbrains:annotations:13.0
|         |    +--- com.android.tools:sdklib:31.3.0-alpha02
|         |    |    +--- com.android.tools:repository:31.3.0-alpha02
|         |    |    |    +--- com.android.tools.analytics-library:shared:31.3.0-alpha02 (*)
|         |    |    |    +--- com.android.tools:common:31.3.0-alpha02 (*)
|         |    |    |    +--- com.google.jimfs:jimfs:1.1
|         |    |    |    |    \--- com.google.guava:guava:18.0 -> 31.1-jre (*)
|         |    |    |    +--- com.sun.activation:javax.activation:1.2.0
|         |    |    |    +--- org.apache.commons:commons-compress:1.21
|         |    |    |    +--- org.glassfish.jaxb:jaxb-runtime:2.3.2
|         |    |    |    |    +--- jakarta.xml.bind:jakarta.xml.bind-api:2.3.2
|         |    |    |    |    |    \--- jakarta.activation:jakarta.activation-api:1.2.1
|         |    |    |    |    +--- org.glassfish.jaxb:txw2:2.3.2
|         |    |    |    |    +--- com.sun.istack:istack-commons-runtime:3.0.8
|         |    |    |    |    |    \--- jakarta.activation:jakarta.activation-api:1.2.1
|         |    |    |    |    +--- org.jvnet.staxex:stax-ex:1.8.1
|         |    |    |    |    |    +--- jakarta.activation:jakarta.activation-api:1.2.1
|         |    |    |    |    |    \--- jakarta.xml.bind:jakarta.xml.bind-api:2.3.2 (*)
|         |    |    |    |    +--- com.sun.xml.fastinfoset:FastInfoset:1.2.16
|         |    |    |    |    \--- jakarta.activation:jakarta.activation-api:1.2.1
|         |    |    |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         |    |    +--- com.android.tools:common:31.3.0-alpha02 (*)
|         |    |    +--- com.android.tools:dvlib:31.3.0-alpha02
|         |    |    |    \--- com.android.tools:common:31.3.0-alpha02 (*)
|         |    |    +--- com.android.tools.layoutlib:layoutlib-api:31.3.0-alpha02 (*)
|         |    |    +--- com.google.code.gson:gson:2.10
|         |    |    +--- org.apache.commons:commons-compress:1.21
|         |    |    +--- org.apache.httpcomponents:httpcore:4.4.16
|         |    |    +--- org.apache.httpcomponents:httpmime:4.5.6
|         |    |    |    \--- org.apache.httpcomponents:httpclient:4.5.6 -> 4.5.14
|         |    |    |         +--- org.apache.httpcomponents:httpcore:4.4.16
|         |    |    |         +--- commons-logging:commons-logging:1.2
|         |    |    |         \--- commons-codec:commons-codec:1.11
|         |    |    \--- org.glassfish.jaxb:jaxb-runtime:2.3.2 (*)
|         |    +--- com.google.code.gson:gson:2.10
|         |    +--- com.google.guava:guava:31.1-jre (*)
|         |    +--- com.google.protobuf:protobuf-java:3.19.3
|         |    +--- javax.inject:javax.inject:1
|         |    +--- net.sf.kxml:kxml2:2.3.0
|         |    +--- org.bouncycastle:bcpkix-jdk15on:1.67
|         |    |    \--- org.bouncycastle:bcprov-jdk15on:1.67
|         |    +--- org.bouncycastle:bcprov-jdk15on:1.67
|         |    +--- org.glassfish.jaxb:jaxb-runtime:2.3.2 (*)
|         |    +--- org.jetbrains.intellij.deps:trove4j:1.0.20200330
|         |    +--- org.jetbrains.kotlin:kotlin-reflect:1.9.0-Beta -> 1.9.0
|         |    |    \--- org.jetbrains.kotlin:kotlin-stdlib:1.9.0 (*)
|         |    +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         |    \--- xerces:xercesImpl:2.12.0
|         |         \--- xml-apis:xml-apis:1.4.01
|         +--- com.android.tools:sdklib:31.3.0-alpha02 (*)
|         +--- com.android.tools:repository:31.3.0-alpha02 (*)
|         +--- com.android.tools.ddms:ddmlib:31.3.0-alpha02 (*)
|         +--- com.android.tools.build:aapt2-proto:8.3.0-alpha02-10154469 (*)
|         +--- com.android.tools.build:aaptcompiler:8.3.0-alpha02
|         |    +--- com.android.tools.build:aapt2-proto:8.3.0-alpha02-10154469 (*)
|         |    +--- com.android.tools.layoutlib:layoutlib-api:31.3.0-alpha02 (*)
|         |    +--- com.android.tools:common:31.3.0-alpha02 (*)
|         |    +--- com.google.protobuf:protobuf-java:3.19.3
|         |    +--- com.google.guava:guava:31.1-jre (*)
|         |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         +--- com.android.tools.analytics-library:crash:31.3.0-alpha02
|         |    +--- com.android.tools:annotations:31.3.0-alpha02
|         |    +--- com.google.guava:guava:31.1-jre (*)
|         |    +--- org.apache.httpcomponents:httpclient:4.5.14 (*)
|         |    +--- org.apache.httpcomponents:httpcore:4.4.16
|         |    \--- org.apache.httpcomponents:httpmime:4.5.6 (*)
|         +--- com.android.tools.analytics-library:shared:31.3.0-alpha02 (*)
|         +--- com.android.tools.lint:lint-model:31.3.0-alpha02
|         |    +--- com.android.tools.build:builder-model:8.3.0-alpha02
|         |    |    +--- com.android.tools:annotations:31.3.0-alpha02
|         |    |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         |    +--- com.android.tools:common:31.3.0-alpha02 (*)
|         |    +--- com.android.tools:sdk-common:31.3.0-alpha02 (*)
|         |    +--- net.sf.kxml:kxml2:2.3.0
|         |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         +--- com.android.tools.lint:lint-typedef-remover:31.3.0-alpha02
|         |    +--- com.android.tools:annotations:31.3.0-alpha02
|         |    +--- com.google.guava:guava:31.1-jre (*)
|         |    \--- org.ow2.asm:asm:9.2
|         +--- androidx.databinding:databinding-compiler-common:8.3.0-alpha02
|         |    +--- androidx.databinding:databinding-common:8.3.0-alpha02
|         |    +--- com.android.databinding:baseLibrary:8.3.0-alpha02
|         |    +--- com.android.tools:annotations:31.3.0-alpha02
|         |    +--- com.android.tools.build.jetifier:jetifier-core:1.0.0-beta10
|         |    |    +--- com.google.code.gson:gson:2.8.0 -> 2.10
|         |    |    \--- org.jetbrains.kotlin:kotlin-stdlib:1.3.71 -> 1.9.0 (*)
|         |    +--- com.google.code.gson:gson:2.10
|         |    +--- com.google.guava:guava:31.1-jre (*)
|         |    +--- com.googlecode.juniversalchardet:juniversalchardet:1.0.3
|         |    +--- com.squareup:javapoet:1.10.0
|         |    +--- commons-io:commons-io:2.4
|         |    +--- org.glassfish.jaxb:jaxb-runtime:2.3.2 (*)
|         |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         +--- androidx.databinding:databinding-common:8.3.0-alpha02
|         +--- com.android.databinding:baseLibrary:8.3.0-alpha02
|         +--- com.android.tools.build:builder-test-api:8.3.0-alpha02
|         |    +--- com.android.tools.ddms:ddmlib:31.3.0-alpha02 (*)
|         |    +--- com.android.tools:annotations:31.3.0-alpha02
|         |    +--- com.android.tools:common:31.3.0-alpha02 (*)
|         |    \--- com.google.guava:guava:31.1-jre (*)
|         +--- com.android.tools.layoutlib:layoutlib-api:31.3.0-alpha02 (*)
|         +--- com.android.tools.utp:android-device-provider-ddmlib-proto:31.3.0-alpha02
|         |    \--- com.google.protobuf:protobuf-java:3.19.3
|         +--- com.android.tools.utp:android-device-provider-gradle-proto:31.3.0-alpha02
|         |    \--- com.google.protobuf:protobuf-java:3.19.3
|         +--- com.android.tools.utp:android-test-plugin-host-additional-test-output-proto:31.3.0-alpha02
|         |    \--- com.google.protobuf:protobuf-java:3.19.3
|         +--- com.android.tools.utp:android-test-plugin-host-coverage-proto:31.3.0-alpha02
|         |    \--- com.google.protobuf:protobuf-java:3.19.3
|         +--- com.android.tools.utp:android-test-plugin-host-emulator-control-proto:31.3.0-alpha02
|         |    +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         |    \--- com.google.protobuf:protobuf-java:3.19.3
|         +--- com.android.tools.utp:android-test-plugin-host-logcat-proto:31.3.0-alpha02
|         |    \--- com.google.protobuf:protobuf-java:3.19.3
|         +--- com.android.tools.utp:android-test-plugin-host-apk-installer-proto:31.3.0-alpha02
|         |    \--- com.google.protobuf:protobuf-java:3.19.3
|         +--- com.android.tools.utp:android-test-plugin-host-retention-proto:31.3.0-alpha02
|         |    +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         |    \--- com.google.protobuf:protobuf-java:3.19.3
|         +--- com.android.tools.utp:android-test-plugin-result-listener-gradle-proto:31.3.0-alpha02
|         |    +--- io.grpc:grpc-core:1.45.1
|         |    |    +--- io.grpc:grpc-api:1.45.1
|         |    |    |    +--- io.grpc:grpc-context:1.45.1
|         |    |    |    +--- com.google.code.findbugs:jsr305:3.0.2
|         |    |    |    +--- com.google.errorprone:error_prone_annotations:2.10.0 -> 2.11.0
|         |    |    |    \--- com.google.guava:guava:31.0.1-android -> 31.1-jre (*)
|         |    |    +--- com.google.code.gson:gson:2.8.9 -> 2.10
|         |    |    +--- com.google.android:annotations:4.1.1.4
|         |    |    +--- org.codehaus.mojo:animal-sniffer-annotations:1.19
|         |    |    +--- com.google.errorprone:error_prone_annotations:2.10.0 -> 2.11.0
|         |    |    +--- com.google.guava:guava:31.0.1-android -> 31.1-jre (*)
|         |    |    \--- io.perfmark:perfmark-api:0.23.0
|         |    +--- io.grpc:grpc-netty:1.45.1
|         |    |    +--- io.grpc:grpc-core:1.45.1 (*)
|         |    |    +--- io.netty:netty-codec-http2:4.1.72.Final
|         |    |    |    +--- io.netty:netty-common:4.1.72.Final
|         |    |    |    +--- io.netty:netty-buffer:4.1.72.Final
|         |    |    |    |    \--- io.netty:netty-common:4.1.72.Final
|         |    |    |    +--- io.netty:netty-transport:4.1.72.Final
|         |    |    |    |    +--- io.netty:netty-common:4.1.72.Final
|         |    |    |    |    +--- io.netty:netty-buffer:4.1.72.Final (*)
|         |    |    |    |    \--- io.netty:netty-resolver:4.1.72.Final
|         |    |    |    |         \--- io.netty:netty-common:4.1.72.Final
|         |    |    |    +--- io.netty:netty-codec:4.1.72.Final
|         |    |    |    |    +--- io.netty:netty-common:4.1.72.Final
|         |    |    |    |    +--- io.netty:netty-buffer:4.1.72.Final (*)
|         |    |    |    |    \--- io.netty:netty-transport:4.1.72.Final (*)
|         |    |    |    +--- io.netty:netty-handler:4.1.72.Final
|         |    |    |    |    +--- io.netty:netty-common:4.1.72.Final
|         |    |    |    |    +--- io.netty:netty-resolver:4.1.72.Final (*)
|         |    |    |    |    +--- io.netty:netty-buffer:4.1.72.Final (*)
|         |    |    |    |    +--- io.netty:netty-transport:4.1.72.Final (*)
|         |    |    |    |    +--- io.netty:netty-codec:4.1.72.Final (*)
|         |    |    |    |    \--- io.netty:netty-tcnative-classes:2.0.46.Final
|         |    |    |    \--- io.netty:netty-codec-http:4.1.72.Final
|         |    |    |         +--- io.netty:netty-common:4.1.72.Final
|         |    |    |         +--- io.netty:netty-buffer:4.1.72.Final (*)
|         |    |    |         +--- io.netty:netty-transport:4.1.72.Final (*)
|         |    |    |         +--- io.netty:netty-codec:4.1.72.Final (*)
|         |    |    |         \--- io.netty:netty-handler:4.1.72.Final (*)
|         |    |    +--- io.netty:netty-handler-proxy:4.1.72.Final
|         |    |    |    +--- io.netty:netty-common:4.1.72.Final
|         |    |    |    +--- io.netty:netty-buffer:4.1.72.Final (*)
|         |    |    |    +--- io.netty:netty-transport:4.1.72.Final (*)
|         |    |    |    +--- io.netty:netty-codec:4.1.72.Final (*)
|         |    |    |    +--- io.netty:netty-codec-socks:4.1.72.Final
|         |    |    |    |    +--- io.netty:netty-common:4.1.72.Final
|         |    |    |    |    +--- io.netty:netty-buffer:4.1.72.Final (*)
|         |    |    |    |    +--- io.netty:netty-transport:4.1.72.Final (*)
|         |    |    |    |    \--- io.netty:netty-codec:4.1.72.Final (*)
|         |    |    |    \--- io.netty:netty-codec-http:4.1.72.Final (*)
|         |    |    +--- com.google.guava:guava:31.0.1-android -> 31.1-jre (*)
|         |    |    +--- com.google.errorprone:error_prone_annotations:2.10.0 -> 2.11.0
|         |    |    \--- io.perfmark:perfmark-api:0.23.0
|         |    +--- io.grpc:grpc-protobuf:1.45.1
|         |    |    +--- io.grpc:grpc-api:1.45.1 (*)
|         |    |    +--- com.google.code.findbugs:jsr305:3.0.2
|         |    |    +--- com.google.protobuf:protobuf-java:3.19.2 -> 3.19.3
|         |    |    +--- com.google.api.grpc:proto-google-common-protos:2.0.1
|         |    |    |    \--- com.google.protobuf:protobuf-java:3.13.0 -> 3.19.3
|         |    |    +--- io.grpc:grpc-protobuf-lite:1.45.1
|         |    |    |    +--- io.grpc:grpc-api:1.45.1 (*)
|         |    |    |    +--- com.google.code.findbugs:jsr305:3.0.2
|         |    |    |    \--- com.google.guava:guava:31.0.1-android -> 31.1-jre (*)
|         |    |    \--- com.google.guava:guava:31.0.1-android -> 31.1-jre (*)
|         |    +--- io.grpc:grpc-stub:1.45.1
|         |    |    +--- io.grpc:grpc-api:1.45.1 (*)
|         |    |    +--- com.google.guava:guava:31.0.1-android -> 31.1-jre (*)
|         |    |    \--- com.google.errorprone:error_prone_annotations:2.10.0 -> 2.11.0
|         |    +--- com.google.code.gson:gson:2.10
|         |    +--- com.google.guava:guava:31.1-jre (*)
|         |    +--- javax.annotation:javax.annotation-api:1.3.2
|         |    \--- com.google.protobuf:protobuf-java:3.19.3
|         +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         +--- com.android.tools.build:transform-api:2.0.0-deprecated-use-gradle-api
|         +--- org.apache.httpcomponents:httpmime:4.5.6 (*)
|         +--- commons-io:commons-io:2.4
|         +--- org.ow2.asm:asm:9.2
|         +--- org.ow2.asm:asm-analysis:9.2
|         |    \--- org.ow2.asm:asm-tree:9.2
|         |         \--- org.ow2.asm:asm:9.2
|         +--- org.ow2.asm:asm-commons:9.2
|         |    +--- org.ow2.asm:asm:9.2
|         |    +--- org.ow2.asm:asm-tree:9.2 (*)
|         |    \--- org.ow2.asm:asm-analysis:9.2 (*)
|         +--- org.ow2.asm:asm-util:9.2
|         |    +--- org.ow2.asm:asm:9.2
|         |    +--- org.ow2.asm:asm-tree:9.2 (*)
|         |    \--- org.ow2.asm:asm-analysis:9.2 (*)
|         +--- org.bouncycastle:bcpkix-jdk15on:1.67 (*)
|         +--- org.glassfish.jaxb:jaxb-runtime:2.3.2 (*)
|         +--- net.sf.jopt-simple:jopt-simple:4.9
|         +--- com.android.tools.build:bundletool:1.15.4
|         |    +--- com.android.tools.build:aapt2-proto:7.3.0-alpha07-8248216 -> 8.3.0-alpha02-10154469 (*)
|         |    +--- com.google.auto.value:auto-value-annotations:1.6.2
|         |    +--- com.google.errorprone:error_prone_annotations:2.3.1 -> 2.11.0
|         |    +--- com.google.guava:guava:31.0.1-jre -> 31.1-jre (*)
|         |    +--- com.google.protobuf:protobuf-java:3.19.2 -> 3.19.3
|         |    +--- com.google.protobuf:protobuf-java-util:3.19.2 -> 3.19.3
|         |    |    +--- com.google.protobuf:protobuf-java:3.19.3
|         |    |    +--- com.google.guava:guava:30.1.1-android -> 31.1-jre (*)
|         |    |    +--- com.google.errorprone:error_prone_annotations:2.5.1 -> 2.11.0
|         |    |    +--- com.google.j2objc:j2objc-annotations:1.3
|         |    |    +--- com.google.code.findbugs:jsr305:3.0.2
|         |    |    \--- com.google.code.gson:gson:2.8.6 -> 2.10
|         |    +--- com.google.dagger:dagger:2.28.3
|         |    |    \--- javax.inject:javax.inject:1
|         |    +--- javax.inject:javax.inject:1
|         |    +--- org.bitbucket.b_c:jose4j:0.7.0
|         |    \--- org.slf4j:slf4j-api:1.7.30
|         +--- com.android.tools.build.jetifier:jetifier-core:1.0.0-beta10 (*)
|         +--- com.android.tools.build.jetifier:jetifier-processor:1.0.0-beta10
|         |    +--- com.android.tools.build.jetifier:jetifier-core:1.0.0-beta10 (*)
|         |    +--- org.ow2.asm:asm:8.0.1 -> 9.2
|         |    +--- org.ow2.asm:asm-util:8.0.1 -> 9.2 (*)
|         |    +--- org.ow2.asm:asm-commons:8.0.1 -> 9.2 (*)
|         |    +--- org.jdom:jdom2:2.0.6
|         |    \--- org.jetbrains.kotlin:kotlin-stdlib:1.3.71 -> 1.9.0 (*)
|         +--- com.squareup:javapoet:1.10.0
|         +--- com.google.protobuf:protobuf-java:3.19.3
|         +--- com.google.protobuf:protobuf-java-util:3.19.3 (*)
|         +--- com.google.code.gson:gson:2.8.6 -> 2.10
|         +--- io.grpc:grpc-core:1.45.1 (*)
|         +--- io.grpc:grpc-netty:1.45.1 (*)
|         +--- io.grpc:grpc-protobuf:1.45.1 (*)
|         +--- io.grpc:grpc-stub:1.45.1 (*)
|         +--- com.google.crypto.tink:tink:1.7.0
|         |    +--- com.google.protobuf:protobuf-java:3.19.3
|         |    \--- com.google.code.gson:gson:2.8.9 -> 2.10
|         +--- com.google.testing.platform:core-proto:0.0.8-alpha08
|         +--- com.google.flatbuffers:flatbuffers-java:1.12.0
|         +--- org.tensorflow:tensorflow-lite-metadata:0.1.0-rc2
|         |    +--- org.checkerframework:checker-qual:2.5.8 -> 3.12.0
|         |    \--- com.google.flatbuffers:flatbuffers-java:1.12.0
|         +--- com.android.tools.build:builder:8.3.0-alpha02
|         |    +--- com.android.tools.build:builder-model:8.3.0-alpha02 (*)
|         |    +--- com.android.tools.build:builder-test-api:8.3.0-alpha02 (*)
|         |    +--- com.android.tools:sdklib:31.3.0-alpha02 (*)
|         |    +--- com.android.tools:sdk-common:31.3.0-alpha02 (*)
|         |    +--- com.android.tools:common:31.3.0-alpha02 (*)
|         |    +--- com.android.tools.ddms:ddmlib:31.3.0-alpha02 (*)
|         |    +--- com.android:signflinger:8.3.0-alpha02
|         |    |    +--- com.android.tools:annotations:31.3.0-alpha02
|         |    |    +--- com.android.tools.build:apksig:8.3.0-alpha02
|         |    |    \--- com.android:zipflinger:8.3.0-alpha02
|         |    |         \--- com.android.tools:annotations:31.3.0-alpha02
|         |    +--- com.android.tools.analytics-library:protos:31.3.0-alpha02 (*)
|         |    +--- com.android.tools.analytics-library:tracker:31.3.0-alpha02
|         |    |    +--- com.android.tools.analytics-library:protos:31.3.0-alpha02 (*)
|         |    |    +--- com.android.tools.analytics-library:shared:31.3.0-alpha02 (*)
|         |    |    +--- com.android.tools:annotations:31.3.0-alpha02
|         |    |    +--- com.android.tools:common:31.3.0-alpha02 (*)
|         |    |    +--- com.google.guava:guava:31.1-jre (*)
|         |    |    +--- com.google.protobuf:protobuf-java:3.19.3
|         |    |    \--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         |    +--- com.android.tools.layoutlib:layoutlib-api:31.3.0-alpha02 (*)
|         |    +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         |    +--- org.bouncycastle:bcpkix-jdk15on:1.67 (*)
|         |    +--- commons-codec:commons-codec:1.10 -> 1.11
|         |    +--- org.bouncycastle:bcprov-jdk15on:1.67
|         |    +--- javax.inject:javax.inject:1
|         |    +--- org.ow2.asm:asm-commons:9.2 (*)
|         |    +--- com.android.tools.build:manifest-merger:31.3.0-alpha02
|         |    |    +--- com.android.tools:common:31.3.0-alpha02 (*)
|         |    |    +--- com.android.tools:sdklib:31.3.0-alpha02 (*)
|         |    |    +--- com.android.tools:sdk-common:31.3.0-alpha02 (*)
|         |    |    +--- com.google.code.gson:gson:2.8.6 -> 2.10
|         |    |    +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|         |    |    \--- net.sf.kxml:kxml2:2.3.0
|         |    +--- com.android:zipflinger:8.3.0-alpha02 (*)
|         |    +--- com.android.tools.build:apksig:8.3.0-alpha02
|         |    +--- com.android.tools.build:apkzlib:8.3.0-alpha02
|         |    |    +--- com.android.tools.build:apksig:8.3.0-alpha02
|         |    |    +--- com.google.code.findbugs:jsr305:3.0.2
|         |    |    +--- com.google.guava:guava:31.1-jre (*)
|         |    |    +--- org.bouncycastle:bcpkix-jdk15on:1.67 (*)
|         |    |    \--- org.bouncycastle:bcprov-jdk15on:1.67
|         |    \--- com.squareup:javawriter:2.5.0
|         +--- com.android.tools.build:builder-model:8.3.0-alpha02 (*)
|         \--- com.android.tools.build:gradle-api:8.3.0-alpha02
|              +--- com.android.tools.build:builder-test-api:8.3.0-alpha02 (*)
|              +--- com.google.guava:guava:31.1-jre (*)
|              +--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0-Beta -> 1.9.0 (*)
|              \--- org.ow2.asm:asm:9.2
+--- org.jetbrains.kotlin.android:org.jetbrains.kotlin.android.gradle.plugin:1.9.10
|    \--- org.jetbrains.kotlin:kotlin-gradle-plugin:1.9.10
|         +--- org.jetbrains.kotlin:kotlin-gradle-plugin-api:1.9.10
|         |    +--- org.jetbrains.kotlin:kotlin-gradle-plugins-bom:1.9.10
|         |    |    +--- org.jetbrains.kotlin:kotlin-gradle-plugin-api:1.9.10 (c)
|         |    |    +--- org.jetbrains.kotlin:kotlin-gradle-plugin-model:1.9.10 (c)
|         |    |    +--- org.jetbrains.kotlin:kotlin-tooling-core:1.9.10 (c)
|         |    |    +--- org.jetbrains.kotlin:kotlin-gradle-plugin:1.9.10 (c)
|         |    |    +--- org.jetbrains.kotlin:kotlin-gradle-plugin-annotations:1.9.10 (c)
|         |    |    \--- org.jetbrains.kotlin:kotlin-native-utils:1.9.10 (c)
|         |    +--- org.jetbrains.kotlin:kotlin-gradle-plugin-annotations:1.9.10
|         |    +--- org.jetbrains.kotlin:kotlin-native-utils:1.9.10
|         |    |    +--- org.jetbrains.kotlin:kotlin-util-io:1.9.10
|         |    |    \--- org.jetbrains.kotlin:kotlin-util-klib:1.9.10
|         |    |         \--- org.jetbrains.kotlin:kotlin-util-io:1.9.10
|         |    +--- org.jetbrains.kotlin:kotlin-project-model:1.9.10
|         |    |    \--- org.jetbrains.kotlin:kotlin-tooling-core:1.9.10
|         |    \--- org.jetbrains.kotlin:kotlin-tooling-core:1.9.10
|         +--- org.jetbrains.kotlin:kotlin-gradle-plugins-bom:1.9.10 (*)
|         +--- org.jetbrains.kotlin:kotlin-gradle-plugin-api:1.9.10 (*)
|         +--- org.jetbrains.kotlin:kotlin-gradle-plugin-model:1.9.10
|         |    +--- org.jetbrains.kotlin:kotlin-gradle-plugin-api:1.9.10 (*)
|         |    \--- org.jetbrains.kotlin:kotlin-gradle-plugins-bom:1.9.10 (*)
|         +--- org.jetbrains.kotlin:kotlin-tooling-core:1.9.10
|         +--- org.jetbrains.kotlin:kotlin-gradle-plugin-idea:1.9.10
|         |    +--- org.jetbrains.kotlin:kotlin-tooling-core:1.9.10
|         |    \--- org.jetbrains.kotlin:kotlin-gradle-plugin-annotations:1.9.10
|         +--- org.jetbrains.kotlin:kotlin-gradle-plugin-idea-proto:1.9.10
|         |    \--- org.jetbrains.kotlin:kotlin-gradle-plugin-idea:1.9.10 (*)
|         +--- org.jetbrains.kotlin:kotlin-util-klib:1.9.10 (*)
|         +--- org.jetbrains.kotlin:kotlin-klib-commonizer-api:1.9.10
|         |    \--- org.jetbrains.kotlin:kotlin-native-utils:1.9.10 (*)
|         +--- org.jetbrains.kotlin:kotlin-project-model:1.9.10 (*)
|         +--- org.jetbrains.kotlin:kotlin-build-tools-api:1.9.10
|         +--- org.jetbrains.kotlin:kotlin-compiler-embeddable:1.9.10
|         |    +--- org.jetbrains.kotlin:kotlin-daemon-embeddable:1.9.10
|         |    \--- org.jetbrains.intellij.deps:trove4j:1.0.20200330
|         +--- org.jetbrains.kotlin:kotlin-android-extensions:1.9.10
|         |    \--- org.jetbrains.kotlin:kotlin-compiler-embeddable:1.9.10 (*)
|         +--- org.jetbrains.kotlin:kotlin-compiler-runner:1.9.10
|         |    +--- org.jetbrains.kotlin:kotlin-daemon-client:1.9.10
|         |    +--- org.jetbrains.kotlinx:kotlinx-coroutines-core-jvm:1.5.0
|         |    \--- org.jetbrains.kotlin:kotlin-compiler-embeddable:1.9.10 (*)
|         +--- org.jetbrains.kotlin:kotlin-scripting-compiler-embeddable:1.9.10
|         |    \--- org.jetbrains.kotlin:kotlin-scripting-compiler-impl-embeddable:1.9.10
|         |         +--- org.jetbrains.kotlin:kotlin-scripting-common:1.9.10
|         |         \--- org.jetbrains.kotlin:kotlin-scripting-jvm:1.9.10
|         |              \--- org.jetbrains.kotlin:kotlin-scripting-common:1.9.10
|         \--- org.jetbrains.kotlin:kotlin-scripting-compiler-impl-embeddable:1.9.10 (*)
+--- org.jetbrains.kotlin:kotlin-stdlib-jdk8:{strictly 1.9.0} -> 1.9.0 (c)
+--- org.jetbrains.kotlin:kotlin-reflect:{strictly 1.9.0} -> 1.9.0 (c)
+--- org.jetbrains:annotations:{strictly 13.0} -> 13.0 (c)
+--- org.jetbrains.kotlin:kotlin-stdlib:{strictly 1.9.0} -> 1.9.0 (c)
+--- org.jetbrains.kotlin:kotlin-stdlib-jdk7:{strictly 1.9.0} -> 1.9.0 (c)
\--- org.jetbrains.kotlin:kotlin-stdlib-common:{strictly 1.9.0} -> 1.9.0 (c)

Build: AI-232.9559.62.2321.10749089, 202309010903

AI-232.9559.62.2321.10749089, JRE 17.0.8+0-17.0.8b1000.8-10699129x64 JetBrains s.r.o., OS Linux(amd64) v5.15.0-82-generic, screens 7680.0x4320.0

AS: Iguana | 2023.2.1 Canary 2
Kotlin plugin: 232-1.9.0-release-358-AS9559.62.2321.10749089
Android Gradle Plugin: 8.3.0-alpha02
Gradle: 8.3
Gradle JDK: JetBrains Runtime version 17.0.8
NDK: from local.properties: (not specified), latest from SDK: (not found)
CMake: from local.properties: (not specified), latest from SDK: (not found), from PATH: 3.22.1

Comments

vi...@google.com <vi...@google.com> Sep 6, 2023 09:22AM

Assigned to an...@google.com.

je...@google.com <je...@google.com> Sep 11, 2023 05:14PM

Reassigned to sr...@google.com.

te...@gmail.com <te...@gmail.com> #2Oct 25, 2023 10:40AM

Dependency on xercesimpl makes AGP incompatible with https://docs.gradle.org/current/userguide/upgrading_version_8.html#xml_parsing_now_requires_recent_parsers in a way that if other gradle plugin is using SAXParserFactory (expecting to pickup jdk one) then xercesimpl version is used

hm...@google.com <hm...@google.com> #3Nov 28, 2023 12:22PM

xercesImpl has been removed as a dependency in AGP since 8.3.0-alpha12

hm...@google.com <hm...@google.com> Feb 26, 2024 09:15AM

Reassigned to hm...@google.com.

hm...@google.com <hm...@google.com> #4Feb 26, 2024 02:22PM

Marked as fixed.

Thanks for reporting issues like these - they are very beneficial to us.

All of the dependencies with known security vulnerabilities have been updated apart from org.bitbucket.b_c:jose4j:0.7.0 which comes transitively from bundletool. The team who owns it has been made aware and will fix issues on their side.

Message last modified on Feb 26, 2024 02:23PM

an...@google.com <an...@google.com> #5Feb 29, 2024 09:52PM

Thank you for your patience while our engineering team worked to resolve this issue. A fix for this issue is now available in:

Android Studio Jellyfish | 2023.3.1 Canary 12
Android Gradle Plugin 8.4.0-alpha12

We encourage you to try the latest update.

If you notice further issues or have questions, please file a new bug report.

Thank you for taking the time to submit feedback — we really appreciate it!

fa...@gmail.com <fa...@gmail.com> #6May 21, 2024 07:37PM

Iwant