vulnerabilities because of javalite version 3.14.0 in firebase-perf

[fionues]

[REQUIRED] Step 2: Describe your environment

• Android Studio version: 2024.2.2
• Firebase Component: Performance Monitoring
• Component version: 21.0.4

[REQUIRED] Step 3: Describe the problem

This is not technically a bug, but there seem to exist vulnerabilities because of protobuf-javalite version 3.14.0.

This is what the dependency tree looks like for firebase performance monitoring, for the affected part:

+--- com.google.firebase:firebase-perf -> 21.0.4
|    +--- com.google.firebase:firebase-annotations:16.2.0 (*)
|    +--- com.google.firebase:firebase-installations-interop:17.1.0 -> 17.2.0 (*)
|    +--- com.google.firebase:protolite-well-known-types:18.0.0
|    |    \--- com.google.protobuf:protobuf-javalite:3.14.0 -> 3.25.5

The listed vulnerabilities are:
CVE-2022-3509, CVE-2022-3510, CVE-2024-7254 High
CVE-2022-3171 Medium

[lehcar09]

Hi @fionues, thank you for reaching out and raising the vulnerability issue. On Firebase Perf v21.0.2, we have updated the protobuf dependency to 3.25.5 to fix CVE-2024-7254.

Based on my understanding, the firebase-perf dependency on protobuf-javalite:3.25.5 takes precedence unless there's a conflict or a specific resolution rule in your build system that favors 3.14.0.

However, I understand that this is still flagged as a dependency issue. I'll raise this to our engineers and see what we can do here. Thanks!

[fionues]

Thank you. I checked, we are using firebase-perf 21.0.4 and I don't see any other dependency or a specific rule that would favour 3.14.0. So that's strange.

[mrober]

Hi @fionues, I took a look at this.

#6343 did land 4 months ago, and should have updated all the proto deps to a patched version across the entire repo.

That PR did update protolite-well-known-types, but not to the patched version. I don't know why? See #6343/protolite-well-known-types.gradle it sets it to 3.21.11, not 3.25.5

But even more, protolite-well-known-types hasn't published to the google maven repo since 2021, see https://maven.google.com/web/index.html#com.google.firebase:protolite-well-known-types:18.0.0 and that published version's pom file references <groupId>com.google.protobuf</groupId><artifactId>protobuf-javalite</artifactId><version>3.14.0</version> explaining the 3.14.0 your tool is finding.

This would only be an issue if you depended only on protolite-well-known-types and no other Firebase products. Any other Firebase product will bump the protobuf-javalite version to 3.25.5 when Gradle resolves your dependencies. So there is no vulnerability issue here. But I will ask the team to fix the published version of protolite-well-known-types to avoid this confusion.