问题
In Google Play Store am getting warning below like this,
Your app contains one or more libraries with known security issues. Please see this Google Help Center article for details.
Vulnerable JavaScript libraries:
- Name --> jquery
- Version --> 3.3.1
- Known issues --> SNYK-JS-JQUERY-174006
- Identified files --> res/raw/jquery_min.js
Note: when loading webview in my app i will InterceptRequest in webview url and load the local jquery_min.js file from raw folder resource which helps us to load the webpage faster due this function and i save 5 gb download from server per month.
Sample WebView Program
LoadLocalScripts localScripts=new LoadLocalScripts(this);
webView.setWebViewClient(new WebViewClient() {
public boolean shouldOverrideUrlLoading(WebView view, String url) {
return true;
}
//Show loader on url load
public void onLoadResource(WebView view, String url) {
}
public void onPageFinished(WebView view, String url) {
}
@Override
public void onReceivedError(WebView view, int errorCode, String description, String failingUrl) {
}
@Override
public WebResourceResponse shouldInterceptRequest (final WebView view, String url) {
WebResourceResponse response= localScripts.getLocalSCripts(url);
if(response==null) {
return super.shouldInterceptRequest(view, url);
}else{
return response;
}
}
});
webView.loadUrl(url);
Class for Loading local scripts
public class LoadLocalScripts {
private Context ctx;
public LoadLocalScripts(Context context) {
ctx=context;
}
public WebResourceResponse getLocalSCripts(String url)
{
//Log.e("url_raw",url);
if (url.contains(".css")) {
if(url.contains("bootstrap.min.css")) {
return getCssWebResourceResponseFromRawResource("bootstrap_min.css");
}else {
return null;
}
}else if (url.contains(".js")){
if(url.contains("bootstrap.min.js")) {
return getScriptWebResourceResponseFromRawResource("bootstrap_min.js");
} else if(url.contains("jquery.lazyload.min.js")) {
return getScriptWebResourceResponseFromRawResource("lazyload_min.js");
} else{
return null;
}
} else {
return null;
}
}
/**
* Return WebResourceResponse with CSS markup from a raw resource (e.g. "raw/style.css").
*/
private WebResourceResponse getCssWebResourceResponseFromRawResource(String url) {
//Log.e("url_raw",url);
if(url.equalsIgnoreCase("bootstrap_min.css")) {
return getUtf8EncodedCssWebResourceResponse(ctx.getResources().openRawResource(R.raw.bootstrap_min));
}else {
return null;
}
}
private WebResourceResponse getScriptWebResourceResponseFromRawResource(String url) {
//Log.e("url_raw",url);
if(url.equalsIgnoreCase("bootstrap_min.js")) {
return getUtf8EncodedScriptWebResourceResponse(ctx.getResources().openRawResource(R.raw.bootstrap_min_js));
}else if(url.equalsIgnoreCase("lazyload_min.js")) {
return getUtf8EncodedScriptWebResourceResponse(ctx.getResources().openRawResource(R.raw.lazyload_min));
}else {
return null;
}
}
private WebResourceResponse getUtf8EncodedCssWebResourceResponse(InputStream data) {
return new WebResourceResponse("text/css", "UTF-8", data);
}
private WebResourceResponse getUtf8EncodedScriptWebResourceResponse(InputStream data) {
return new WebResourceResponse("text/javascript", "UTF-8", data);
}
}
- If i update new to Jquery script will google play remove Security Alert (Vulnerable JavaScript libraries)?
- If i place Jquery script somewhere else in my app will google play remove Security Alert?
- Let me know what is the efficient way of loading the script in webview without loading everytime from the server.
回答1:
This issue refers to an old vulnerability of jquery from your res/raw/jquery_min.js file.
Just updated the jquery_min.js to v3.4.1 and fix it.
You can fix it manually in your file change in the code:
From:
if(null!=(e=arguments[s]))for(t in e)n=a[t],a!==(r=e[t])&&(l&&r&&(w.isPlainObject(r)||
To:
if(null!=(e=arguments[s]))for(t in e)r=e[t],"__proto__"!==t&&a!==r&&(l&&r&&(k.isPlainObject(r)||
I found this solution in https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery/ and worked for me.
回答2:
Security notification
Your application contains one or more libraries that have general security issues. Please see this Google Help Center article for details.
Vulnerable JavaScript library:
Version Name Known issue File identified jquery 2.2.4 SNYK-npm: jquery: 20150627 SNYK-JS-JQUERY-174006 assets / jquery-2.2.4.min.js Affects APK version 9.
Problem: I have used jquery version 3.4.1 and it has an effect on the appearance of my application, for example in the display theme, the application icon is not visible and becomes messy
correct ... I changed version 3.4.1 security warning from Google resolved but,the application icon is not visible and becomes messy
来源:https://stackoverflow.com/questions/58316191/google-play-store-security-alert-says-that-your-app-contains-vulnerable-javascri