Thanks to the CVE-2021-44228, we decided to integrate the OWASP Dependency check gradle plugin to our Android projects.
We've been surprised to see that the mentioned CVE was present in an IntelliJ dependency :
One or more dependencies were identified with known vulnerabilities in app:
...
intellij-core-26.5.4.jar\META-INF/maven/log4j/log4j/pom.xml (pkg:maven/log4j/log4j#1.2.17, cpe:2.3:a:apache:log4j:1.2.17:::::::*) : CVE-2019-17571, CVE-2020-9488, CVE-2021-44228
We have three questions about it :
Should we be worried about this identified vulnerability ?
How is the intellij-core-26.5.4.jar pulled ?
Is this jar present in our final APK ?
IntelliJ is of course just an advanced text editor and has no relation to the android application itself, so no, I wouldn't worry. It might be an insecurity for JetBrains, though, but that's really their problem
CVE-2021-44228 is only applicable to Log4J2 versions 2.0-beta9 and newer upto and including 2.14.1, see: https://logging.apache.org/log4j/2.x/security.html
It does not apply to older versions such as Log4J 1.2.17.
The JAR file intellij-core-26.5.4.jar is part of IntelliJ IDEA itself, and is not something that is included with the APK of your own application when you create an Android application with IntelliJ or Android Studio.
Related
I am trying tog get my React Native app (with expo modules, but not built on expo) deployed to the Google Play Store, and I keep getting this error when I try to build...
The Android Gradle plugin supports only kotlin-android-extensions Gradle plugin version 1.6.20 and higher.
The following dependencies do not satisfy the required version:
project ':expo' -> org.jetbrains.kotlin:kotlin-gradle-plugin:1.6.10
My issue us, the line that it seems to be referencing, project ':expo' -> org.jetbrains.kotlin:kotlin-gradle-plugin:1.6.10 doesn't exist anywhere in my code, maybe in the node modules but I have no way of knowing.
I have absolutely no idea what kotlin is and never heard of it before this. I tried looking around for where to upgrade by kotlin-gradle-plugin, but thats nowhere in my app.json or package.json or any other config files. I saw some message boards with similar issues telling me to change this line inside of build.gradle
classpath('com.android.tools.build:gradle:7.3.0')
to make 7.3.0 match the version I need, but I firmly believe 7.3.0 is greater than 1.6.20, so I highly doubt that solution has any actual merits
Apparently, the current version of expo-modules are incompatible with the latest version of React Native (0.70.0) and how it compiles Android Builds. I downgraded react-native to 0.69.5. This ultimately led me to other issues but hopefully this can help somebody else.
Gradle does not work at all, even gradle -v after updating android studio (4.3.1). I'm not pretty sure Android Studio caused this issue or not.
I installed Gradle from sdkman. The Gradle version is 6.6.1. When I run any Gradle command in terminal, the process keep running but nothing display. The path is not an issue here. Computer recognize Gradle itself.
Do you know any ideas to fix the issue?
I already uninstall/install Gradle, remove .gradle folder, restart a computer, remove cache and stuff like that...
Android Studio likes to use it's bundled JDKs and SDKs by default and change the location of it's settings every few releases. It doesn't like when you try to customize settings to your preferences, even something as trivial as choosing your own default project save location.
Currently (in version 4.2.x), I could only find gradle path in global settings, which turns out that even if you set global setting for gradle path, you would still need to configure it per project level.
So for sake of sanity, forget global settings and configure it per project level.
There are some forum discussion which suggests that android studio automatically switched kotlin compiler or java compiler from your gradle settings, but there are some conflicting articles too.
If you try to discuss it on their forum, they will tell you it's bad decision to change jdk because of compatibility reasons, won't help you much. This is based on my multiple bad experiences on their forum. Choosing your own JDK, Kotlin, build-tools etc has been active sore-point with community.
PS: Kotlin compiler settings is available in Other settings.
I am wondering how to get libjingle when checking out the SDK from git.
What I ended up doing was to add libjingle as compile dependency in build.gradle:
compile 'io.pristine:libjingle:11139#aar'
but looks like the interface is changed from what you use in the SDK, so not sure about what libjingle version to use.
Thanks.
Ok, so what we do to avoid the repo getting huge because of carrying binaries, we only place the binaries in the releases. So I'd suggest downloading latest .tar.bz2 from here and copying over native and non-native libs from restcomm.android.sdk/libs/libjingle_peerconnection*.jar and restcomm.android.sdk/libs/jniLibs/armeabi-v7a/libjingle_peerconnection*.so to the same locations in the source tree. That way they should be discoverable in the Android Studio project.
These are going to be turned into maven dependencies at some point to avoid such issues.
Now about io.pristine:libjingle:11139#aar that you used, it's going to be a problem as this build is much earlier than what we have in restcomm-android-sdk and indeed the API is different in some respects.
I implemented the current version of ActionBarSherlock to my Android Project.
Everything works fine and I don't get any errors.
But when I try to debug or export my project I don't get an .apk-file out of my project. Just a .jar-file with the name of my project.
I've read about some problems the SDK had with building projects that contain external libraries but this was at SDK version 14 and so I hope, this bug is fixed...
So there might be another cause for this problem.
Does anybody know a possible solution?
You cannot get *.jar file as the result of building Android project. This seems very strange to me. There must be something wrong with your project settings (if you changed them), or the project you build is of the wrong type (i.e. it is Java Application instead of Android Application).
You didn't mention which IDE do you use, but I assume you use Eclipse.
Make sure you have installed Android SDK and Eclipse ADT correctly (just in case).
Next thing to try is to create a new Android Application project from existing sources (there should be such option during the process of creation).
Can I import android library such as android 2.3.3 which is included android.jar on it into a JAVA project on Eclipse? How can I do it? Thanks
I don't think you can, and I don't think you should. Android's classes are made for Android mobile devices so you shouldn't use them outside of that context. Do you mind detailing exactly what your project is?
Not sure why would you do that... but yes, you can.
Go to: Project properties -> Java Build Path -> Libraries -> Add External Jar, then choose the .jar file you need, for instance:
C:\Program Files (x86)\Android\android-sdk\platforms\android-8\android.jar
Now your Java project can reference any Android-specific class.
Activate proper android nature, and your project has android libraries on compile path.
You may also add android libraries from maven central:
<dependency>
<groupId>com.google.android</groupId>
<artifactId>android</artifactId>
<version>2.2.1</version>
<scope>provided</scope>
</dependency>
But keep in mind, that those libraries are good for compiling only - all classes are neutered and contain only stubs throwing runtime exception - you wull be unable to use them in tests unless you use mocking
I guess I have come across the same problem as Karate_dog, though I'm not sure how similar it is.
Here is what I did:
Go to project properties, select android, and check Android 2.3.3 and press OK. You are done.
Now you will see all the previous error notifications have gone and android API and libraries have been added to your project (I assume this is regarding an android project which running on eclipse ide.)