Bump protobuf to 3.25.5 (#6343)

Per [b/371058443](https://b.corp.google.com/issues/371058443),

This bumps our protobuf deps to `3.25.5` to address [CVE
2024-7254](GHSA-735f-pc8j-v9w8).

All relevant libraries should have a changelog attached, unless I missed
any.

This PR also fixes the following:

- [b/371223043](https://b.corp.google.com/issues/371223043) -> Migrate
protobuf deps to version catalog

Fixes #6336

---------

Co-authored-by: Rodrigo Lazo <[email protected]>

Author: daymxn

build.gradle

@@ -54,9 +54,6 @@ ext {
     robolectricVersion = libs.versions.robolectric.get()
     androidxTestCoreVersion = libs.versions.androidx.test.core.get()
     androidxTestJUnitVersion = libs.versions.androidx.test.junit.get()
-    protocVersion = libs.versions.protoc.get()
-    javaliteVersion = libs.versions.javalite.get()
-    protobufJavaUtilVersion = libs.versions.protobufjavautil.get()
 }
 
 apply plugin: com.google.firebase.gradle.plugins.PublishingPlugin

encoders/firebase-encoders-proto/CHANGELOG.md

@@ -1,3 +1,4 @@
 # Unreleased
-
+* [changed] Updated protobuf dependency to `3.25.5` to fix
+  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
 

encoders/firebase-encoders-proto/firebase-encoders-proto.gradle

@@ -32,7 +32,7 @@ java {
 
 protobuf {
     protoc {
-        artifact = "com.google.protobuf:protoc:$protocVersion"
+        artifact = libs.protoc.get().toString()
     }
 }
 
@@ -47,7 +47,7 @@ dependencies {
     testAnnotationProcessor project(':encoders:firebase-encoders-processor')
 
     testImplementation 'com.google.guava:guava:31.0-jre'
-    testImplementation "com.google.protobuf:protobuf-java-util:$protobufJavaUtilVersion"
+    testImplementation libs.protobuf.java.util
     testImplementation "com.google.truth:truth:$googleTruthVersion"
     testImplementation 'com.google.truth.extensions:truth-proto-extension:1.0'
     testImplementation 'junit:junit:4.13.1'

encoders/protoc-gen-firebase-encoders/protoc-gen-firebase-encoders.gradle

@@ -22,7 +22,7 @@ plugins {
 
 protobuf {
     protoc {
-        artifact = "com.google.protobuf:protoc:$protocVersion"
+        artifact = libs.protoc.get().toString()
     }
 }
 

encoders/protoc-gen-firebase-encoders/tests/tests.gradle

@@ -26,7 +26,7 @@ dependencies {
 
 protobuf {
     protoc {
-        artifact = "com.google.protobuf:protoc:$protocVersion"
+        artifact = libs.protoc.get().toString()
     }
     plugins {
         firebaseEncoders {
@@ -51,7 +51,7 @@ dependencies {
 
     testImplementation project(":encoders:firebase-encoders")
     testImplementation project(":encoders:firebase-encoders-proto")
-    testImplementation "com.google.protobuf:protobuf-java:3.21.9"
+    testImplementation libs.protobuf.java
     testImplementation "com.google.truth:truth:1.0.1"
     testImplementation 'junit:junit:4.13.1'
 }

firebase-config/CHANGELOG.md

@@ -1,5 +1,6 @@
 # Unreleased
-
+* [changed] Updated protobuf dependency to `3.25.5` to fix
+  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
 
 # 22.0.0
 * [changed] Bump internal dependencies

firebase-crashlytics-ndk/firebase-crashlytics-ndk.gradle

@@ -124,7 +124,7 @@ dependencies {
 
     androidTestImplementation "androidx.test:core:$androidxTestCoreVersion"
     androidTestImplementation 'androidx.test:runner:1.4.0'
-    androidTestImplementation "com.google.protobuf:protobuf-javalite:$javaliteVersion"
+    androidTestImplementation libs.protobuf.java.lite
     androidTestImplementation 'com.linkedin.dexmaker:dexmaker:2.28.1'
     androidTestImplementation 'com.linkedin.dexmaker:dexmaker-mockito:2.28.1'
     androidTestImplementation 'org.mockito:mockito-core:3.4.3'

firebase-crashlytics/CHANGELOG.md

@@ -1,4 +1,7 @@
 # Unreleased
+* [changed] Updated protobuf dependency to `3.25.5` to fix
+  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
+
 
 # 19.2.0
 * [fixed] Improved data consistency for rapid user actions.

firebase-crashlytics/firebase-crashlytics.gradle

@@ -104,7 +104,7 @@ dependencies {
     androidTestImplementation(libs.androidx.test.runner)
     androidTestImplementation(libs.androidx.test.junit)
     androidTestImplementation("com.google.firebase:firebase-encoders-json:18.0.1")
-    androidTestImplementation("com.google.protobuf:protobuf-java:3.21.11")
+    androidTestImplementation(libs.protobuf.java)
     androidTestImplementation(libs.truth)
     androidTestImplementation("com.linkedin.dexmaker:dexmaker:2.28.3")
     androidTestImplementation(libs.mockito.dexmaker)

firebase-dataconnect/CHANGELOG.md

@@ -1,4 +1,6 @@
 # Unreleased
+* [changed] Updated protobuf dependency to `3.25.5` to fix
+  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
 
 # 16.0.0-beta01
 * [feature] Initial release of the Data Connect SDK (public preview). Learn how to
@@ -19,3 +21,4 @@
   ([#6299](https://github.com/firebase/firebase-android-sdk/pull/6299))
 * [changed] Added `equals` and `hashCode` methods to `GeneratedConnector`.
   ([#6177](https://github.com/firebase/firebase-android-sdk/pull/6177))
+

firebase-firestore/CHANGELOG.md

@@ -1,5 +1,6 @@
 # Unreleased
-
+* [changed] Updated protobuf dependency to `3.25.5` to fix
+  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
 
 # 25.1.0
 * [feature] Add support for the VectorValue type. [#6154](//github.com/firebase/firebase-android-sdk/pull/6154)

firebase-firestore/firebase-firestore.gradle

@@ -36,7 +36,7 @@ protobuf {
     // Configure the protoc executable
     protoc {
         // Download from repositories
-        artifact = "com.google.protobuf:protoc:$protocVersion"
+        artifact = libs.protoc.get().toString()
     }
     plugins {
         grpc {
@@ -164,7 +164,7 @@ dependencies {
     testImplementation 'org.mockito:mockito-core:2.25.0'
     testImplementation "org.robolectric:robolectric:$robolectricVersion"
 
-    testCompileOnly "com.google.protobuf:protobuf-java:$protocVersion"
+    testCompileOnly libs.protobuf.java
 
     androidTestImplementation "androidx.annotation:annotation:1.1.0"
     androidTestImplementation 'androidx.test:rules:1.5.0'

firebase-firestore/ktx/ktx.gradle

@@ -71,5 +71,5 @@ dependencies {
     testImplementation 'org.mockito:mockito-core:2.25.0'
     testImplementation "org.robolectric:robolectric:$robolectricVersion"
 
-    testCompileOnly "com.google.protobuf:protobuf-java:$protocVersion"
+    testCompileOnly libs.protobuf.java
 }

firebase-inappmessaging-display/CHANGELOG.md

@@ -1,5 +1,6 @@
 # Unreleased
-
+* [changed] Updated protobuf dependency to `3.25.5` to fix
+  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
 
 # 21.0.0
 * [fixed] Fixed bad token exception while showing FIAM

firebase-inappmessaging/CHANGELOG.md

@@ -1,5 +1,6 @@
 # Unreleased
-
+* [changed] Updated protobuf dependency to `3.25.5` to fix
+  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
 
 # 21.0.0
 * [fixed] Fixed bad token exception while showing FIAM

firebase-inappmessaging/firebase-inappmessaging.gradle

@@ -32,7 +32,7 @@ protobuf {
     // Configure the protoc executable
     protoc {
         // Download from repositories
-        artifact = "com.google.protobuf:protoc:$protocVersion"
+        artifact = libs.protoc.get().toString()
     }
     plugins {
         grpc {

firebase-messaging/CHANGELOG.md

@@ -1,4 +1,7 @@
 # Unreleased
+* [changed] Updated protobuf dependency to `3.25.5` to fix
+  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
+
 
 # 24.0.2
 * [changed] Included message priority when logging to Firelog.

firebase-messaging/firebase-messaging.gradle

@@ -25,7 +25,7 @@ protobuf {
         protobuild project(path: ':encoders:protoc-gen-firebase-encoders', configuration: 'shadow')
 }
     protoc {
-        artifact = "com.google.protobuf:protoc:$protocVersion"
+        artifact = libs.protoc.get().toString()
     }
     plugins {
         firebaseEncoders {

firebase-ml-modeldownloader/CHANGELOG.md

@@ -1,4 +1,6 @@
 # Unreleased
+* [changed] Updated protobuf dependency to `3.25.5` to fix
+  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
 
 
 # 25.0.0

firebase-ml-modeldownloader/firebase-ml-modeldownloader.gradle

@@ -34,7 +34,7 @@ protobuf {
     // Configure the protoc executable
     protoc {
         // Download from repositories
-        artifact = "com.google.protobuf:protoc:$protocVersion"
+        artifact = libs.protoc.get().toString()
     }
     generateProtoTasks {
         all().each { task ->
@@ -121,7 +121,7 @@ dependencies {
     testImplementation 'androidx.test:runner:1.5.1'
     testImplementation "androidx.test.ext:junit:$androidxTestJUnitVersion"
     testImplementation 'com.github.tomakehurst:wiremock-standalone:2.26.3'
-    testImplementation "com.google.protobuf:protobuf-java-util:$protobufJavaUtilVersion"
+    testImplementation libs.protobuf.java.util
     testImplementation "com.google.truth:truth:$googleTruthVersion"
     testImplementation 'com.google.truth.extensions:truth-proto-extension:1.0'
     testImplementation 'junit:junit:4.13-beta-2'

firebase-perf/CHANGELOG.md

@@ -1,5 +1,6 @@
 # Unreleased
-
+* [changed] Updated protobuf dependency to `3.25.5` to fix
+  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
 
 # 21.0.1
 * [fixed] Fixed an `ExceptionInInitializerError` where the `url.openStream()` causes a crash if

firebase-perf/firebase-perf.gradle

@@ -36,7 +36,7 @@ firebaseLibrary {
 
 protobuf {
     protoc {
-        artifact = "com.google.protobuf:protoc:$protocVersion"
+        artifact = libs.protoc.get().toString()
     }
     generateProtoTasks {
         all().each { task ->
@@ -104,7 +104,7 @@ dependencies {
     implementation "androidx.annotation:annotation:1.1.0"
     implementation "androidx.lifecycle:lifecycle-process:2.3.1"
     implementation "com.google.android.gms:play-services-tasks:18.0.1"
-    implementation "com.google.protobuf:protobuf-javalite:$javaliteVersion"
+    implementation libs.protobuf.java.lite
     implementation "org.jetbrains.kotlin:kotlin-stdlib:$kotlinVersion"
     implementation 'androidx.annotation:annotation:1.7.0'
     implementation 'androidx.appcompat:appcompat:1.2.0'
@@ -130,7 +130,7 @@ dependencies {
          exclude group: 'com.google.firebase', module: 'firebase-common'
          exclude group: 'com.google.firebase', module: 'firebase-components'
      }
-    testCompileOnly "com.google.protobuf:protobuf-java:3.21.9"
+    testCompileOnly libs.protobuf.java
     testImplementation "androidx.test:core:$androidxTestCoreVersion"
     testImplementation "com.google.truth:truth:$googleTruthVersion"
     testImplementation "org.robolectric:robolectric:$robolectricVersion"

firebase-perf/ktx/ktx.gradle

@@ -59,5 +59,5 @@ dependencies {
     testImplementation 'org.mockito:mockito-core:2.25.0'
     testImplementation "org.robolectric:robolectric:$robolectricVersion"
 
-    testCompileOnly "com.google.protobuf:protobuf-java:3.21.9"
+    testCompileOnly libs.protobuf.java
 }

gradle/libs.versions.toml

@@ -9,14 +9,14 @@ coroutines = "1.7.3"
 dagger = "2.43.2"
 grpc = "1.62.2"
 grpcKotlin = "1.4.1"
-javalite = "3.21.11"
+javalite = "3.25.5"
 kotlin = "1.8.22"
 mockk = "1.13.11"
 serialization-plugin = "1.8.22"
-protoc = "3.21.11"
+protoc = "3.25.5"
 truth = "1.4.2"
 robolectric = "4.12"
-protobufjavautil = "3.21.11"
+protobufjavautil = "3.25.5"
 kotest = "5.9.0" # Do not use 5.9.1 because it reverts the fix for https://github.com/kotest/kotest/issues/3981
 quickcheck = "0.6"
 serialization = "1.5.1"

protolite-well-known-types/protolite-well-known-types.gradle

@@ -26,7 +26,7 @@ firebaseLibrary {
 
 protobuf {
     protoc {
-        artifact = "com.google.protobuf:protoc:$protocVersion"
+        artifact = "com.google.protobuf:protoc:3.21.11"
     }
     generateProtoTasks {
         all().each { task ->
@@ -68,5 +68,5 @@ dependencies {
         exclude group: "com.google.protobuf", module: "protobuf-java"
     }
 
-    implementation "com.google.protobuf:protobuf-javalite:$javaliteVersion"
+    implementation "com.google.protobuf:protobuf-javalite:3.21.11"
 }

transport/transport-backend-cct/CHANGELOG.md

@@ -1,4 +1,6 @@
 # Unreleased
+* [changed] Updated protobuf dependency to `3.25.5` to fix
+  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
 
 
 # 3.3.0

transport/transport-backend-cct/transport-backend-cct.gradle

@@ -29,7 +29,7 @@ protobuf {
     // Configure the protoc executable
     protoc {
         // Download from repositories
-        artifact = "com.google.protobuf:protoc:$protocVersion"
+        artifact = libs.protoc.get().toString()
     }
     generateProtoTasks {
         all().each { task ->
@@ -71,7 +71,7 @@ dependencies {
 
     testImplementation "androidx.test:core:$androidxTestCoreVersion"
     testImplementation 'com.github.tomakehurst:wiremock:3.0.1'
-    testImplementation "com.google.protobuf:protobuf-java-util:$protobufJavaUtilVersion"
+    testImplementation libs.protobuf.java.util
     testImplementation "com.google.truth:truth:$googleTruthVersion"
     testImplementation 'com.google.truth.extensions:truth-proto-extension:1.0'
     testImplementation 'junit:junit:4.13.1'

transport/transport-runtime/CHANGELOG.md

@@ -1,4 +1,6 @@
 # Unreleased
+* [changed] Updated protobuf dependency to `3.25.5` to fix
+  [CVE-2024-7254](https://github.com/advisories/GHSA-735f-pc8j-v9w8).
 
 
 # 3.3.0

transport/transport-runtime/transport-runtime.gradle

@@ -26,7 +26,7 @@ dependencies {
 
 protobuf {
     protoc {
-        artifact = "com.google.protobuf:protoc:$protocVersion"
+        artifact = libs.protoc.get().toString()
     }
     plugins {
         firebaseEncoders {