Android CVE Check

Question

I want to resolve every CVE issues from my project. I'm using org.owasp.dependencycheck plugin, but even on an empty project it returns few CVE's:

bcprov-jdk15on-1.56.jar: ids:(org.bouncycastle:bcprov-jdk15on:1.56, cpe:/a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.56) : CVE-2017-13098, CVE-2018-1000180, CVE-2018-1000613
builder-3.3.1.jar: desugar_deploy.jar: ids:(com.google.guava:guava:21.0, cpe:/a:google:guava:21.0) : CVE-2018-10237
intellij-core-26.3.1.jar (shaded: com.google.protobuf:protobuf-java:2.6.1): ids:(cpe:/a:google:protobuf:2.6.1, com.google.protobuf:protobuf-java:2.6.1) : CVE-2015-5237
intellij-core-26.3.1.jar (shaded: org.picocontainer:picocontainer:1.2): ids:(org.picocontainer:picocontainer:1.2, cpe:/a:site_documentation_project:site_documentation:1.2) : CVE-2015-4370

This result is from the empty project. My build.gradle:

apply plugin: 'com.android.application'
apply plugin: 'kotlin-android'
apply plugin: 'kotlin-android-extensions'
apply plugin: 'org.owasp.dependencycheck'

android {
    compileSdkVersion 28
    defaultConfig {
        applicationId "com.example.testcve"
        minSdkVersion 21
        targetSdkVersion 28
        versionCode 1
        versionName "1.0"
        testInstrumentationRunner "android.support.test.runner.AndroidJUnitRunner"
    }
    buildTypes {
        release {
            minifyEnabled false
            proguardFiles getDefaultProguardFile('proguard-android.txt'), 'proguard-rules.pro'
        }
    }
}

dependencyCheck {
    failBuildOnCVSS 0
}

check.dependsOn dependencyCheckAnalyze

dependencies {
    implementation fileTree(dir: 'libs', include: ['*.jar'])
    implementation"org.jetbrains.kotlin:kotlin-stdlib-jdk7:$kotlin_version"
    implementation 'com.android.support:appcompat-v7:28.0.0'
    implementation 'com.android.support.constraint:constraint-layout:1.1.3'
    testImplementation 'junit:junit:4.12'
    androidTestImplementation 'com.android.support.test:runner:1.0.2'
    androidTestImplementation 'com.android.support.test.espresso:espresso-core:3.0.2'
}

and:

buildscript {
    ext.kotlin_version = '1.3.21'
    repositories {
        google()
        jcenter()
        mavenLocal()
    }
    dependencies {
        classpath 'com.android.tools.build:gradle:3.3.1'
        classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
        classpath "org.owasp:dependency-check-gradle:4.0.0"
    }
}

allprojects {
    repositories {
        google()
        jcenter()
    }
}

task clean(type: Delete) {
    delete rootProject.buildDir
}

Everything is up-to-date.

Any ideas how to resolve those CVE?

Answer 1

So the answer from Carsten is absolutely correct but it doesn't explain how to handle this in CI Builds for example.

You have two options which both work. You can exclude the lintClassPath from the dependency check or you define releaseCompileClasspath as the only module configuration to check. I'd recommend the first one since you probably want to check additional module configurations if they happen to be added (or you want to also check the debug/test classpath).

Excluding lintClassPath

Per Module (for example your app/build.gradle):

// ... android and dependency configuration omitted
apply plugin: 'org.owasp.dependencycheck'
// ...

dependencyCheck {
    skipConfigurations += 'lintClassPath'
}

For all modules (in the root build.gradle):

// ... buildscript, etc. omitted
allprojects {

    // ... repository configuration omitted
    apply plugin: 'org.owasp.dependencycheck'

    dependencyCheck {
        skipConfigurations += 'lintClassPath'
    }
}

Including only releaseCompilepath

Simple replace skipConfigurations += 'lintClassPath' with scanConfigurations += 'releaseCompileClasspath'. FYI, these options are mutually exclusive, so you have to choose only one of these methods.

Answer 2

Those files are used by the Android build system. That's why they get reported even on an "empty" project.

Check the dependency tree to see where those files are used: ./gradlew app:dependencies

...
lintClassPath - The lint embedded classpath
\--- com.android.tools.lint:lint-gradle:26.4.1
     +--- com.android.tools:sdk-common:26.4.1
     |    +--- com.android.tools:sdklib:26.4.1
     |    |    +--- com.android.tools.layoutlib:layoutlib-api:26.4.1
     |    |    ...
     |    +--- com.android.tools.ddms:ddmlib:26.4.1 (*)
     |    +--- org.bouncycastle:bcpkix-jdk15on:1.56
     |    |    \--- org.bouncycastle:bcprov-jdk15on:1.56   <--
     |    +--- org.bouncycastle:bcprov-jdk15on:1.56   <--
...

In this example, it is com.android.tools:sdk-common. This a build library, used by other Android tools libraries (https://mvnrepository.com/artifact/com.android.tools/sdk-common/26.4.1). As long as Google doesn't update that dependency, there is not much you can do about it.

Whilst the reported vulnerabilities are marked as critical, it is less of a concern regarding your app here, because the file is used by the build tools and not by your app.

If the files are reported in the releaseCompileClasspath section, they should be fixed!

Use the Analyze APK feature of Android Studio if you want to double check that those files are not compiled into your app.

Answer 3

I solve the problem by adding lintClassPath to the dependencies

dependencies {
    ...
    lintClassPath "org.bouncycastle:bcpkix-jdk15on:1.64"
}

It's late but I hope this helps you.