0

In the Android app was found a vulnerability CVE-2022-38750.

As I see on mvnrepository.com/artifact/org.yaml/snakeyaml, this vulnerability is in snakeyaml library. In app, there is no direct usage of this library.

After using:

.\gradlew  app:dependencies --configuration xyz

I don't see that this library is used anywhere.

How can I find which library has snakeyaml in dependencies?

jannow90
  • 11
  • 1
    perhaps it's a dependency of one of the libraries you're using? try looking at their maven artefacts – Shark Nov 25 '22 at 11:04
  • @Shark how can I look at libraries dependencies? `.\gradlew app:dependencies` doesn't list all dependencies? – jannow90 Nov 25 '22 at 11:58
  • 2
    Libraries can be repacked and included in other libraries so that they don't appear as dependency. Load the APK file you have into an decompiler like Jadx and search for snakeyaml relevant packages or strings. If you find a reference to a smakeyaml class outside of the classes that belong to snakeyaml you have a starting point (assuming this package is not obufscated or you manage to find a string that allows you to guess o which library it belongs. – Robert Nov 25 '22 at 12:36
  • 1
    nope, `./gradlew app:dependencies` does not list all dependencies and i think it omits transitive dependencies as well. Ideally you want to find the plugin that draws a dependency graph, and then find snakeyaml somewhere in it, and go up the dependency chain to a library you recognize, and then **hopefully** tell the dependency not to include (to exclude) snakeyaml and still have a functional crash-free app. Realistically, that will most likely not be the case :D See [link](https://stackoverflow.com/questions/39008887/how-do-i-show-dependencies-tree-in-android-studio) – Shark Nov 25 '22 at 15:50

0 Answers0