Veracode issue on firebase-installations

firebase / firebase-android-sdk

Firebase Android SDK

https://firebase.google.com

Apache License 2.0

2.25k stars 571 forks source link

Veracode issue on firebase-installations #1376

Closed YessineM closed 4 years ago

YessineM commented 4 years ago

Environment

Android Studio version: 3.6.1
Firebase Component: Messaging, Analytics
Component version: firebase-messaging:20.1.2 and firebase-analytics:17.2.3
Veracode

Problem

Description:

Veracode has found low severity issues in com.google.firebase:firebase-installations called: Information Exposure Through Sent Data, Sensitive information may be exposed as a result of outbound network connections made by the application.

Relevant Code:

com.google.firebase:firebase-installations@@16.0.0 249 com.google.firebase:firebase-installations@@16.0.0 309 com.google.firebase:firebase-installations@@16.0.0 337

google-oss-bot commented 4 years ago

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

wilhuff commented 4 years ago

Hi! Thanks for writing in.

Please list the file and line number where the issue was found along with the vulnerability reported. When you do we’ll be able to evaluate what’s reported and apply a fix.

As it stands this report isn’t anything we can act on.

ankitaj224 commented 4 years ago

@andirayo for visibility.

andirayo commented 4 years ago

@YessineM :
Thank you for reporting this!

As @wilhuff pointed out, it would really help us if you could share the full error message and if available a full stack trace. The problem with the given line numbers (249, 309, 337) is that they most likely belong to an obfuscated version of Firebase Installations and we have to run the line numbers through a deobfuscator before we can make sense of the error message.

google-oss-bot commented 4 years ago

Hey @YessineM. We need more information to resolve this issue but there hasn't been an update in 5 weekdays. I'm marking the issue as stale and if there are no new updates in the next 5 days I will close it automatically.

If you have more information that will help us get to the bottom of this, just add a comment!

ankitaj224 commented 4 years ago

As @wilhuff mentioned in #1615 - there is no action to be taken in firebase-installations. I will be closing this issue. Please feel free to reopen it if required.

Thanks.