1

I am compiling my android application using the Android SDK Platform 33. When running static analysis of the apk I am seeing references to the library Expat version 2.4.8. This version has a known vulnerability and I would like to have the newest version of Expat (2.5.0) used in the application. Is this library a dependency of the Android SDK, and if so do I have any options here to update Expat to the newest version?

I am using .NET Maui with the Android SDK 33 to compile an Android version of my application. I was expecting when updating to the newest Android SDK that the vulnerable version of Expat would have been replaced with a newer version. The version of Expat used did not change.

grant22
  • 11
  • 2
  • I created a xamarin android app and compiled the app with the Android SDK Platform 33, but I couldn't find the library `Expat`. You can recheck whether your other libraries depends on this library. – Jessie Zhang -MSFT May 29 '23 at 07:24
  • @JessieZhang-MSFT Thank you for checking, it looks like it was a library from Telerik, Telerik.UI.for.Maui 5.1.0 to be exact. – grant22 May 30 '23 at 13:34
  • Hi folks, we've done some research and this dependency comes from the Skia library, please find the source here https://github.com/google/skia/blob/e648bf802cd2f5c016a07e29c92f61084e01b2d7/BUILD.gn#L384. Our dependency for Telerik.UI.for.Maui comes from Microsoft's SkiaSharp library. @JessieZhang-MSFT I am escalating directly to David O, hopefully they can get it backported to an older, non-affected version – Lance McCarthy May 31 '23 at 12:27

0 Answers0