Firebase crashlytics 19.2.1 still includes CVE-2024-7254 vulnerable library

[xiaobc-mika]

Hello, according to the crashlytics 19.2.1 release notes, CVE-2024-7254 was resolved by updating protobuf.

However it seems a vulnerable version of protobuf-javalite com.google.protobuf:protobuf-javalite:3.10.0 is shaded into androidx.datastore:datastore-preferences-core:1.0.0

|    |    |    +--- com.google.firebase:firebase-crashlytics -> 19.2.1
|    |    |    |    +--- com.google.firebase:firebase-sessions:2.0.6
|    |    |    |    |    +--- androidx.datastore:datastore-preferences:1.0.0
|    |    |    |    |    |    \--- androidx.datastore:datastore-preferences-core:1.0.0

This is being picked up by the OWASP dependency scanner plugin, from the file File Path: /home/runner/.gradle/caches/modules-2/files-2.1/androidx.datastore/datastore-preferences-core/1.0.0/403f64499b9a8994f5f7010329ddd1ee5c919ed5/datastore-preferences-core-1.0.0.jar/META-INF/maven/com.google.protobuf/protobuf-javalite/pom.xml

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[lehcar09]

Hi @xiaobc-mika, thank you for reaching out and reporting the vulnerability issue. I'll raise this to our engineers and see what we can do here. Thanks!