Internal UTP android test plugin emulator control configuration contains vulnerable netty dependencies. [339238014]

Assigned

Bug

Status Update

No update yet.

Description

ma...@gmail.com

created issue #1

May 7, 2024 09:25PM

DESCRIBE THE ISSUE IN DETAIL:

We use https://github.com/gradle/github-dependency-graph-gradle-plugin to perform GitHub Dependabot vulnerability scanning on our project. After upgrading to AGP 3.4.0 it started to trigger warnings about older versions of dependencies in the io.netty group.

They seem to come from the _internal-unified-test-platform-android-test-plugin-host-emulator-control configuration as a transitive dep from grpc stuff.

I'm fully aware that these warnings (e.g. HTTP/2 RST attack) don't apply to UTP in question so I could silence the warnings but as this project has also JVM components that do use Netty (and a later version) I'd much rather still get warnings about Netty security issues.

STEPS TO REPRODUCE:

Use dependency dependency submission action from Gradle in a GitHub repo with vulnerable dependency alerts turned on (https://blog.gradle.org/gradle-github-partnership-supply-chain-security)
Use Android Gradle Plugin 8.4.0

Studio Build: Jellyfish 2023.3.1 Version of Gradle Plugin: 8.4.0 Version of Gradle: 8.7 Version of Java: Zulu 21.0.1+15 OS: macOS

Comments

ma...@gmail.com <ma...@gmail.com> #2May 7, 2024 09:26PM

I tried adding screenshotTestImplementation(libs.androidx.window) but it didn't fix it.

di...@google.com <di...@google.com> May 8, 2024 09:34AM

Assigned to an...@google.com.

hu...@google.com <hu...@google.com> May 8, 2024 09:41PM

Reassigned to da...@google.com.

Issue 339238014

Description

Issue summary

Comments

ma...@gmail.com <ma...@gmail.com> #2May 7, 2024 09:26PM

di...@google.com <di...@google.com> May 8, 2024 09:34AM

hu...@google.com <hu...@google.com> May 8, 2024 09:41PM

Add comment

Issue metadata