shankari
commented
4 years ago @PatGendre where are you seeing this warning? I haven't received any emails about this.
Closed PatGendre closed 4 years ago
shankari
commented
4 years ago @PatGendre where are you seeing this warning? I haven't received any emails about this.
shankari
commented
4 years ago out of the two angular sub-packages listed there
angular-sanitize.js is included by ionic
├─┬ ionic#1.3.1 (latest is 1.3.5)
│ ├── angular#1.5.3 (latest is 1.7.8)
│ ├─┬ angular-animate#1.5.3 (latest is 1.7.8)
│ │ └── angular#1.5.3
│ ├─┬ angular-sanitize#1.5.3 (latest is 1.7.8)
│ │ └── angular#1.5.3
│ └─┬ angular-ui-router#0.2.13 (latest is 1.0.23)
│ └── angular#1.5.3 (1.7.8 available)angular cookies is included by angularLocalStorage. I have already migrated away from angularLocalStorage to store data in the SQLite database, although I still use it to store UI-only state (e.g. has the user gone through the walkthrough) because you can access the state directly without using a promise. It should not be hard to migrate the rest of them and remove this dependency.
├─┬ angularLocalStorage#0.3.2
│ ├── angular#1.5.3 incompatible with ~1.4.7 (1.4.14 available, latest is 1.7.8)
│ └─┬ angular-cookies#1.4.14 (latest is 1.7.8)
│ └── angular#1.5.3 incompatible with 1.4.14 (1.4.14 available, latest is 1.7.8)But I am not sure why local storage or cookies are a security issue. They could be a security issue if you store sensitive information (e.g. passwords) in them. But I've been pretty careful not to do that.
shankari
commented
4 years ago I don't see any security warnings for sanitize, which is part of the core angular library https://docs.angularjs.org/api/ngSanitize/service/$sanitize and angular is from google, so I am not quite sure what is going on.
PatGendre
commented
4 years ago @shankari
where are you seeing this warning? I haven't received any emails about this. in the Google Play console
PatGendre
commented
4 years ago 
shankari
commented
4 years ago ok I see the same message in my console. BUT I only see it for emTripLog, not e-mission.
shankari
commented
4 years ago And my alerts are only for angular-cookies and jquery. I wonder if the sanitize dependency was due to the i18n changes; I have not updated the deployed apps since the i18n changes, although you have.
shankari
commented
4 years ago I can update the angularLocalStorage version (which is the simple fix) or if that doesn't work, remove the dependency. That should fix both the cookies and the jquery alerts in emTripLog.
sanitize will require more work.
PatGendre
commented
4 years ago you are right, this may be the reason, the i18n update.
shankari
commented
4 years ago I looked through the code and we definitely do sanitize as part of i18n. And I remember the discussion with Loic about it as well.
https://github.com/e-mission/e-mission-phone/blob/59a3fd72ca9e60184797132d97f8db416425e319/www/js/app.js#L109
However it looks like that module does not actually depend on ngSanitize, which is what the angular-sanitize module provides. Instead, that module is used by goals.js, which is the habitica integration that nobody cares about.
If you remove or have removed goals.js, then you should also be able to remove the dependency on angular-sanitize and all your warnings should go away.
I will get to this sometime in the next few weeks as well.
shankari
commented
4 years ago Actually, I take that back. although there is no explicit dependency added by angular-translate that is because the dependency already existed.
angular-translate does depend on angular-sanitize
https://github.com/angular-translate/angular-translate/blob/aafbc39f6e22dba3a27652c24ddb1be1eb266985/bower.json#L17
and it is an even older version of angular-sanitize (1.2.26).
PatGendre
commented
4 years ago Ok, so that might more difficult to remove the dependency. Anyway I suppose this warning is not really critical so not urgent?
shankari
commented
4 years ago So according to the related Google Help Center article https://support.google.com/faqs/answer/9464300
This information is intended for developers with app(s) that contain one or more Java or JavaScript libraries with known security issues (e.g., common vulnerabilities and exposures - CVEs). Although unintended by the app developer, including such vulnerable libraries in an app can put app users at risk. A list of detected unsafe libraries and their locations can be found in the Play Console notification for your app.
However, when I search the CVE repository directly, https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=angular the only match related to angular-sanitize is for textAngular-sanitize.js which we don't use.
Would you have the time to file a stackoverflow post and ask them which CVE they refer to?
If you have technical questions about the vulnerability, you can post to Stack Overflow and use the tag “android-security.”
shankari
commented
4 years ago I also don't see a CVE for angular-cookies and angularLocalStorage has not updated their dependency.
https://github.com/agrublev/angularLocalStorage/blob/master/bower.json#L16
Maybe ask for both and let's see what they say.
PatGendre
commented
4 years ago @shankari Ok thanks, I'll do that tomorrow
shankari
commented
4 years ago Just filed SO question; let's see if they respond https://stackoverflow.com/questions/58400284/angular-sanitize-and-angular-cookies-cve-warnings-in-google-play-console
shankari
commented
4 years ago the question on SO has not yet been answered. So I assume that this is a false positive. If it is not answered by the end of this calendar year, I plan to close this issue.
shankari
commented
4 years ago closing now due to lack of response
venu198
commented
2 years ago Can you help me what's the issue is this. Really thanks to one who helps me on this.
Vulnerable libraries Your app contains one or more libraries with known security issues. Please see this Google Help Centre article for details.
JavaScript angular.js 1.5.3 SNYK-npm:angular:20171018, SNYK-npm:angular:20180202 assets/www/lib/angular/angular.js, assets/www/lib/angular-animate/angular-animate.min.js, assets/www/lib/ionic/js/angular/angular-resource.js, assets/www/lib/angular-sanitize/angular-sanitize.js, assets/www/lib/angular-sanitize/angular-sanitize.min.js, assets/www/lib/ionic/js/angular/angular-sanitize.js, assets/www/lib/ionic/js/angular/angular-resource.min.js, assets/www/lib/angular/angular.min.js, assets/www/lib/ionic/js/angular/angular-animate.js, assets/www/lib/ionic/js/angular/angular-sanitize.min.js, assets/www/lib/ionic/js/angular/angular-animate.min.js, assets/www/lib/angular-animate/angular-animate.js, assets/www/lib/ionic/js/angular/angular.min.js, assets/www/lib/ionic/js/angular/angular.js
rahilkalia1234
commented
2 years ago contains one or more libraries with known secur
Did you get your answer ?
shankari
commented
2 years ago Please see the history of the issue.
The SO question for my dependencies has not been answered. But you should check for the library that is flagged in your case
Unless you are using the e-mission platform, my investigation here won't help you directly.
hathemi
commented
2 years ago @venu198 i have exactly the same problem ? did you find a solution please?
mahmoudRefaey
commented
1 year ago Can you help me what's the issue is this. Really thanks to one who helps me on this.
Vulnerable libraries Your app contains one or more libraries with known security issues. Please see this Google Help Centre article for details.
JavaScript angular.js 1.5.3 SNYK-npm:angular:20171018, SNYK-npm:angular:20180202 assets/www/lib/angular/angular.js, assets/www/lib/angular-animate/angular-animate.min.js, assets/www/lib/ionic/js/angular/angular-resource.js, assets/www/lib/angular-sanitize/angular-sanitize.js, assets/www/lib/angular-sanitize/angular-sanitize.min.js, assets/www/lib/ionic/js/angular/angular-sanitize.js, assets/www/lib/ionic/js/angular/angular-resource.min.js, assets/www/lib/angular/angular.min.js, assets/www/lib/ionic/js/angular/angular-animate.js, assets/www/lib/ionic/js/angular/angular-sanitize.min.js, assets/www/lib/ionic/js/angular/angular-animate.min.js, assets/www/lib/angular-animate/angular-animate.js, assets/www/lib/ionic/js/angular/angular.min.js, assets/www/lib/ionic/js/angular/angular.js
how you solve this issue
@shankari FYI we have a security warning in the Google Play Console. It concerns angular, do you think this may be serious? (.i.e. Google could prevent us from publishing the app the near future?)