0

I've encountered a vulnerability after running the Snyk open source security management tool and am not sure how to resolve it.

I believe this is related to a library pulled in by the Android Gradle Plugin.

Issues with no direct upgrade or patch:

✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-5953332] in io.netty:[email protected]
    introduced by com.android.tools.utp:[email protected] > io.grpc:[email protected] > io.netty:[email protected]
  This issue was fixed in versions: 4.1.100.Final
Improve this question

2 Answers 2

Reset to default
1

I encountered the same snyk issue reported when upgrading Android Gradle Plugin from 8.2.1 to 8.5.1

To solve this I downgraded back to 8.2.1, but am hoping an upstream fix will be made so I can move to back to 8.5.1.

The vulnerable netty version is imported by com.android.tools.utp:[email protected], which is a dependency of com.android.application:com.android.application.gradle.plugin:8.5.1

I confirmed this by running

./gradlew dependencies --scan

build.gradle
0.067s
com.android.application:com.android.application.gradle.plugin:8.5.1
    com.android.tools.build:gradle:8.5.1
        androidx.databinding:databinding-common:8.5.1
        androidx.databinding:databinding-compiler-common:8.5.1
        com.android.databinding:baseLibrary:8.5.1
        com.android.tools.analytics-library:crash:31.5.1
        com.android.tools.analytics-library:shared:31.5.1
        com.android.tools.build.jetifier:jetifier-core:1.0.0-beta10
        com.android.tools.build.jetifier:jetifier-processor:1.0.0-beta10
        com.android.tools.build:aapt2-proto:8.5.1-11315950
        com.android.tools.build:aaptcompiler:8.5.1
        com.android.tools.build:builder-model:8.5.1
        com.android.tools.build:builder-test-api:8.5.1
        com.android.tools.build:builder:8.5.1
        com.android.tools.build:bundletool:1.16.0
        com.android.tools.build:gradle-api:8.5.1
        com.android.tools.build:gradle-settings-api:8.5.1
        com.android.tools.build:transform-api:2.0.0-deprecated-use-gradle-api
        com.android.tools.ddms:ddmlib:31.5.1
        com.android.tools.layoutlib:layoutlib-api:31.5.1
        com.android.tools.lint:lint-model:31.5.1
        com.android.tools.lint:lint-typedef-remover:31.5.1
        com.android.tools.utp:android-device-provider-ddmlib-proto:31.5.1
        com.android.tools.utp:android-device-provider-gradle-proto:31.5.1
here -> com.android.tools.utp:android-test-plugin-host-additional-test-output-proto:31.5.1
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The best way to resolve it would be to update the version of the library to the 4.1.100.Final version as suggested. If you're using the UI, you should have an "Open a fix PR button" somewhere on your screen. Clicking it will take you to your SCM if you allowed the integration and create the PR for you. All you have to do is review it and merge.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.