We are using flutter sdk version 3.24.5. As part of SCA scan on apk, we have found below dependencies without any release version
List of dependencies
-
BoringSSL
-
Protobuf
-
nanopb
-
FlatBuffers
-
google/skiacanvaskit
-
libjpeg-turbo
-
libpng
-
The FreeType Project
The tool used for scanning is Blackduck.
We would like to understand which version of the above dependencies are included in flutter engine ie libflutter.so
For example, in Blackduck scanning tool we get libpng dependency reference from libpng Home Page we understand that flutter fetches the latest released version at the time of releasing flutter engine. Thus, based on the tags we have considered v1.6.44
&
BoringSSL dependency reference from platform/external/boringssl - Git at Google we understand that flutter fetches the latest released version at the time of releasing flutter engine. Thus, based on the tags we have considered android-14.0.0+r11
In DEPS file we found commit Id but we need to find exact version.
Is there any way to trace the exact versions bundled with this Flutter SDK release? Are there specific files or dependencies that provide this information?