Description:
Hello,
I would like to report a potential security vulnerability related to the inclusion of res.jar in the Android build process of the library. The issue arises due to the presence of files with shared identifiers and hashes, which might pose a risk.
Details:
Identifiers:
The following package identifiers and components are linked to the reported files:
pkg:maven/com.daml/test-common-carbonv1-tests-java-1.15@2.10.0-snapshot.20241118.13077.0.v8fa24b57 (Confidence: Highest)pkg:maven/com.daml/test-common-modelext-tests-java-1.15@2.10.0-snapshot.20241118.13077.0.v8fa24b57 (Confidence: Highest)pkg:maven/com.daml/test-common-upgrade-tests-java-3.0.0-1.dev@2.10.0-snapshot.20241118.13077.0.v8fa24b57 (Confidence: Highest)- CPE:
cpe:2.3:a:digital-ant:digital_ant:2.10.0:snapshot:*:*:*:*:*:* (Confidence: Medium)
Impact:
The inclusion of res.jar and its derivatives in the Android build process could potentially expose the library to security risks such as exploitation via maliciously crafted components.
Recommended Actions:
- Verify the purpose and necessity of the
res.jar files in the build process.
- Evaluate dependencies for security risks and update to the latest, secure versions where applicable.
- Conduct a thorough review of all
*.jar files included in the Android build process.
Thank you for addressing this concern, and feel free to reach out if additional details or support are required.
Description:
Hello,
I would like to report a potential security vulnerability related to the inclusion of
res.jarin the Android build process of the library. The issue arises due to the presence of files with shared identifiers and hashes, which might pose a risk.Details:
Affected File Paths:
/node_modules/react-native-rsa-native/android/bin/build/intermediates/intermediate-jars/debug/res.jar/node_modules/react-native-rsa-native/android/bin/build/intermediates/transforms/mergeJavaRes/debug/0.jar/node_modules/react-native-rsa-native/android/bin/build/intermediates/transforms/mergeJavaRes/release/0.jar/node_modules/react-native-rsa-native/android/bin/build/intermediates/intermediate-jars/release/res.jarHashes:
76cdb2bad9582d23c1f6f4d868218d6cb04f3ee8f5e43fa3b162981b50bb72fe1acabb338739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85License: Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
Identifiers:
The following package identifiers and components are linked to the reported files:
pkg:maven/com.daml/test-common-carbonv1-tests-java-1.15@2.10.0-snapshot.20241118.13077.0.v8fa24b57(Confidence: Highest)pkg:maven/com.daml/test-common-modelext-tests-java-1.15@2.10.0-snapshot.20241118.13077.0.v8fa24b57(Confidence: Highest)pkg:maven/com.daml/test-common-upgrade-tests-java-3.0.0-1.dev@2.10.0-snapshot.20241118.13077.0.v8fa24b57(Confidence: Highest)cpe:2.3:a:digital-ant:digital_ant:2.10.0:snapshot:*:*:*:*:*:*(Confidence: Medium)Impact:
The inclusion of
res.jarand its derivatives in the Android build process could potentially expose the library to security risks such as exploitation via maliciously crafted components.Recommended Actions:
res.jarfiles in the build process.*.jarfiles included in the Android build process.Thank you for addressing this concern, and feel free to reach out if additional details or support are required.