Transitive dependency intellij-core contain CVE-2022-23305 vulnerability and it's block by our firewall

[johnrider26]

Hello,
I have a problem with capacitor [android] when I try to build my app in release mode.
For many securities raisons in the company I'm working for, all repositories are behind a nexus firewall and the firewall blocks intellij-core dependency because it finds thess vulnerabilities :

I searched on a lot of community websites including StackOverFlow and the only answer that I found is : [Android IntelliJ core library containing log4j 1.2.17

This dependency is used by these tasks on my project :

• capacitor-filesystem:extractReleaseAnnotations
• capacitor-splash-screen:extractReleaseAnnotations
• capacitor-cordova-android-plugins:extractReleaseAnnotations
• capacitor-camera:extractReleaseAnnotations
• capacitor-android:extractReleaseAnnotations

Here an example of my console log :

5: Task failed with an exception.
-----------
* What went wrong:
Execution failed for task ':capacitor-android:extractReleaseAnnotations'.
> Could not resolve all files for configuration ':capacitor-android:detachedConfiguration2'.
   > Could not download intellij-core-30.2.1.jar (com.android.tools.external.com-intellij:intellij-core:30.2.1)
      > Could not get resource 'https://si-devops-mirror.***.fr/repository/dl.google.com/com/android/tools/external/com-intellij/intellij-core/30.2.1/intellij-core-30.2.1.jar'.
         > Could not HEAD 'https://si-devops-mirror.***.fr/repository/dl.google.com/com/android/tools/external/com-intellij/intellij-core/30.2.1/intellij-core-30.2.1.jar'.
            > 403 forbidden

This error comes when I try to build the app in release mode on Android Studio or when I launch the capacitor:run command
ionic capacitor run --c=release in my angular / ionic project.

Do you have any idea how to bypass this dependency ?

Thanks in advance for your help 😊

Jonathan

[johnrider26]

The problem was solved by updating Gradle to version 5.1 and Android Gradle to version 7.4.0