Android CVE Check

Ask Time：2019-02-12T23:22:48 Author：Lau

I want to resolve every CVE issues from my project. I'm using org.owasp.dependencycheck plugin, but even on an empty project it returns few CVE's:

bcprov-jdk15on-1.56.jar: ids:(org.bouncycastle:bcprov-jdk15on:1.56, cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.56) : CVE-2017-13098, CVE-2018-1000180, CVE-2018-1000613
builder-3.3.1.jar: desugar_deploy.jar: ids:(com.google.guava:guava:21.0, cpe:/a:google:guava:21.0) : CVE-2018-10237
intellij-core-26.3.1.jar (shaded: com.google.protobuf:protobuf-java:2.6.1): ids:(cpe:/a:google:protobuf:2.6.1, com.google.protobuf:protobuf-java:2.6.1) : CVE-2015-5237
intellij-core-26.3.1.jar (shaded: org.picocontainer:picocontainer:1.2): ids:(org.picocontainer:picocontainer:1.2, cpe:/a:site_documentation_project:site_documentation:1.2) : CVE-2015-4370

This result is from the empty project. My build.gradle:

apply plugin: 'com.android.application'
apply plugin: 'kotlin-android'
apply plugin: 'kotlin-android-extensions'
apply plugin: 'org.owasp.dependencycheck'

android {
    compileSdkVersion 28
    defaultConfig {
        applicationId "com.example.testcve"
        minSdkVersion 21
        targetSdkVersion 28
        versionCode 1
        versionName "1.0"
        testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner"
    }
    buildTypes {
        release {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
    }
}

dependencyCheck {
    failBuildOnCVSS 0
}

check.dependsOn dependencyCheckAnalyze

dependencies {
    implementation fileTree(dir: 'libs', include: ['*.jar'])
    implementation"org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version"
    implementation 'com.android.support:appcompat-v7:28.0.0'
    implementation 'com.android.support.constraint:constraint-layout:1.1.3'
    testImplementation 'junit:junit:4.12'
    androidTestImplementation 'com.android.support.test:runner:1.0.2'
    androidTestImplementation 'com.android.support.test.espresso:espresso-core:3.0.2'
}

and:

buildscript {
    ext.kotlin_version = '1.3.21'
    repositories {
        google()
        jcenter()
        mavenLocal()
    }
    dependencies {
        classpath 'com.android.tools.build:gradle:3.3.1'
        classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
        classpath "org.owasp:dependency-check-gradle:4.0.0"
    }
}

allprojects {
    repositories {
        google()
        jcenter()
    }
}

task clean(type: Delete) {
    delete rootProject.buildDir
}

Everything is up-to-date.

Any ideas how to resolve those CVE?

Author:Lau，eproduced under the CC 4.0 BY-SA copyright license with a link to the original source and this disclaimer.
Link to original article：https://stackoverflow.com/questions/54653400/android-cve-check

JensV :

So the answer from Carsten is absolutely correct but it doesn't explain how to handle this in CI Builds for example.\n\nYou have two options which both work. You can exclude the lintClassPath from the dependency check or you define releaseCompileClasspath as the only module configuration to check. I'd recommend the first one since you probably want to check additional module configurations if they happen to be added (or you want to also check the debug/test classpath).\n\nExcluding lintClassPath\n\nPer Module (for example your app/build.gradle):\n\n// ... android and dependency configuration omitted\napply plugin: 'org.owasp.dependencycheck'\n// ...\n\ndependencyCheck {\n skipConfigurations += 'lintClassPath'\n}\n\n\nFor all modules (in the root build.gradle):\n\n// ... buildscript, etc. omitted\nallprojects {\n\n // ... repository configuration omitted\n apply plugin: 'org.owasp.dependencycheck'\n\n dependencyCheck {\n skipConfigurations += 'lintClassPath'\n }\n}\n\n\nIncluding only releaseCompilepath\n\nSimple replace skipConfigurations += 'lintClassPath' with scanConfigurations += 'releaseCompileClasspath'. FYI, these options are mutually exclusive, so you have to choose only one of these methods.",

2020-04-16T10:13:40

Carsten Hagemann :

Those files are used by the Android build system. That's why they get reported even on an \"empty\" project.\n\nCheck the dependency tree to see where those files are used: ./gradlew app:dependencies\n\n...\nlintClassPath - The lint embedded classpath\n\\--- com.android.tools.lint:lint-gradle:26.4.1\n +--- com.android.tools:sdk-common:26.4.1\n | +--- com.android.tools:sdklib:26.4.1\n | | +--- com.android.tools.layoutlib:layoutlib-api:26.4.1\n | | ...\n | +--- com.android.tools.ddms:ddmlib:26.4.1 (*)\n | +--- org.bouncycastle:bcpkix-jdk15on:1.56\n | | \\--- org.bouncycastle:bcprov-jdk15on:1.56 <--\n | +--- org.bouncycastle:bcprov-jdk15on:1.56 <--\n...\n\n\nIn this example, it is com.android.tools:sdk-common. This a build library, used by other Android tools libraries (https://mvnrepository.com/artifact/com.android.tools/sdk-common/26.4.1). As long as Google doesn't update that dependency, there is not much you can do about it.\n\nWhilst the reported vulnerabilities are marked as critical, it is less of a concern regarding your app here, because the file is used by the build tools and not by your app.\n\nIf the files are reported in the releaseCompileClasspath section, they should be fixed!\n\nUse the Analyze APK feature of Android Studio if you want to double check that those files are not compiled into your app.",

2019-07-15T07:42:22

Android CVE Check