From 84b6f55c7a7785c751a98278d18faea42439c7cf Mon Sep 17 00:00:00 2001
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
Date: Tue, 3 Feb 2026 01:32:52 -0500
Subject: [PATCH] Remove lint-psi to eliminate protobuf-java CVEs

Consolidate Android SDK download and setup into single layer to ensure
lint-psi directory (containing vulnerable protobuf-java 2.6.1) is never
committed to any image layer. Reduces CVEs from 4 HIGH to 0 and saves 86MB.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 Dockerfile.android | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Dockerfile.android b/Dockerfile.android
index 17762d5..f74c044 100644
--- a/Dockerfile.android
+++ b/Dockerfile.android
@@ -15,20 +15,20 @@ USER 0
 ENV ANDROID_HOME=/opt/android-sdk
 ENV PATH="${ANDROID_HOME}/cmdline-tools/latest/bin:${ANDROID_HOME}/platform-tools:${PATH}"
 
-# Download and install Android SDK command-line tools
+# Download Android SDK command-line tools, install SDK components, and remove vulnerable lint-psi
 RUN mkdir -p "${ANDROID_HOME}/cmdline-tools" && \
     curl -fsSL "https://dl.google.com/android/repository/commandlinetools-linux-${ANDROID_SDK_TOOLS_VERSION}_latest.zip" \
       -o /tmp/cmdline-tools.zip && \
     unzip -q /tmp/cmdline-tools.zip -d /tmp/cmdline-tools && \
     mv /tmp/cmdline-tools/cmdline-tools "${ANDROID_HOME}/cmdline-tools/latest" && \
-    rm -rf /tmp/cmdline-tools.zip /tmp/cmdline-tools
-
-# Accept licenses and install SDK components
-RUN yes | sdkmanager --licenses > /dev/null 2>&1 && \
+    rm -rf /tmp/cmdline-tools.zip /tmp/cmdline-tools && \
+    yes | sdkmanager --licenses > /dev/null 2>&1 && \
     sdkmanager --install \
       "platform-tools" \
       "platforms;android-${ANDROID_COMPILE_SDK}" \
-      "build-tools;${ANDROID_BUILD_TOOLS}"
+      "build-tools;${ANDROID_BUILD_TOOLS}" && \
+    # Remove lint-psi to eliminate protobuf-java 2.6.1 CVEs (saves 86MB)
+    rm -rf "${ANDROID_HOME}/cmdline-tools/latest/lib/external/lint-psi"
 
 # Download Flutter SDK and strip unnecessary files
 RUN curl -fsSL "https://storage.googleapis.com/flutter_infra_release/releases/stable/linux/flutter_linux_${FLUTTER_VERSION}-stable.tar.xz" \