SkiaSharp Native Dependencies

Single source of truth for native dependencies: what's used, what's not, and how to track security vulnerabilities.

Active Dependencies — What SkiaSharp actually compiles
cgmanifest.json — CVE detection setup
Known False Positives — CVEs that don't affect SkiaSharp

Active Dependencies

SkiaSharp uses only a subset of Skia's dependencies. Unused dependencies are commented out in externals/skia/DEPS to reduce attack surface.

Security-Relevant (process untrusted input)

Dependency	Purpose	CVE Name	Platforms
skia	2D graphics engine (core)	skia (via NVD keyword search)	All
libpng	PNG codec	libpng	All
zlib	Compression	zlib	All
libjpeg-turbo	JPEG codec	libjpeg-turbo	All
libwebp	WebP codec	libwebp	All
freetype	Font rendering	freetype	Android, Linux, WASM
harfbuzz	Text shaping	harfbuzz	All (disabled in SkiaSharp)
expat	XML parsing	libexpat	All
brotli	WOFF2 fonts	brotli	All
wuffs	GIF codec	wuffs	All
dng_sdk	RAW images	dng_sdk	Windows

GPU/Graphics

Dependency	Purpose	Platforms
vulkanmemoryallocator	Vulkan memory	Android, Linux, Windows
d3d12allocator	Direct3D memory	Windows
spirv-cross	Shader translation	Vulkan/Metal
vulkan-headers	Vulkan API	Vulkan builds

Supporting

Dependency	Purpose	Platforms
piex	RAW preview	All except Windows, WASM
buildtools	Compiler toolchain	All

cgmanifest.json

Enables Microsoft Component Governance CVE detection.

Problem: Skia mirrors dependencies from chromium.googlesource.com, but CVE databases use upstream names.

Solution: Use type: "other" with canonical names:

json

{
  "component": {
    "type": "other",
    "other": {
      "name": "libpng",
      "version": "1.6.44",
      "downloadUrl": "https://github.com/glennrp/libpng"
    }
  }
}

Name Mapping

DEPS Name	cgmanifest Name	Upstream
skia (core)	`skia`	github.com/google/skia
libpng	`libpng`	github.com/glennrp/libpng
zlib	`zlib`	github.com/madler/zlib
libjpeg-turbo	`libjpeg-turbo`	github.com/libjpeg-turbo/libjpeg-turbo
libwebp	`libwebp`	github.com/webmproject/libwebp
freetype	`freetype`	gitlab.freedesktop.org/freetype/freetype
harfbuzz	`harfbuzz`	github.com/harfbuzz/harfbuzz
expat	`libexpat`	github.com/libexpat/libexpat
brotli	`brotli`	github.com/google/brotli
wuffs	`wuffs`	github.com/google/wuffs-mirror-release-c
dng_sdk	`dng_sdk`	android.googlesource.com/.../dng_sdk

Skia — Special CVE Tracking Notes

Skia is the core dependency and has its own CVEs (integer overflows, heap buffer overflows, etc.). Unlike third-party dependencies, Skia CVEs require special tracking because they are invisible to Component Governance:

No standalone CPE — Skia CVEs are filed under cpe:2.3:a:google:chrome, not skia
Fork URL mismatch — cgmanifest references mono/skia.git, not upstream
No package ecosystem — GitHub Advisory DB has no Skia package mapping

How to Query Skia CVEs

Query the NVD API directly (same as any other dependency's CVE lookup):

GET https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=Skia

This returns all CVEs mentioning "Skia" in their description. To determine which affect us:

Extract the Chrome versionEndExcluding from each CVE's CPE configuration
Map Chrome major version to Skia milestone (Chrome 132.x = m132)
Compare against SkiaSharp's chrome_milestone from cgmanifest.json
Flag CVEs where the fix milestone > our milestone as potentially affected
CVEs without Chrome version info (e.g., Android-specific) are flagged for manual review

cgmanifest.json Fields

The Skia entry in cgmanifest.json includes custom fields for version tracking:

json

{
  "component": {
    "type": "other",
    "other": {
      "name": "skia",
      "version": "chrome/m119",
      "downloadUrl": "https://github.com/google/skia"
    }
  },
  "chrome_milestone": 119,
  "upstream_merge_commit": "fcb55886b914028a99f35fb0ba28e66ff82027e3"
}

Field	Purpose
`chrome_milestone`	Integer milestone number — used to filter NVD results
`upstream_merge_commit`	SHA of the upstream `chrome/mNNN` branch tip that was merged into the fork

When to Update

Update these fields whenever merging new upstream Skia code:

bash

# After merging upstream/chrome/m125 into the fork:
# 1. Update cgmanifest.json chrome_milestone to 125
# 2. Update upstream_merge_commit to the tip of upstream/chrome/m125
# 3. Update version to "chrome/m125"

Skia-Specific False Positives

Not all CVEs are exploitable through SkiaSharp's API surface. Chrome exposes Skia via HTML Canvas, SVG, etc. SkiaSharp exposes a different subset. Each CVE needs manual assessment of whether the vulnerable code path is reachable.
Android-specific CVEs (e.g., in SkiaRenderEngine.cpp) generally don't affect SkiaSharp.
NVD enrichment can lag — CVEs may appear days after the Chrome release.

Known False Positives

Some CVEs flagged against dependencies don't affect SkiaSharp because the vulnerable component isn't compiled.

MiniZip (in zlib) — NOT USED

Status: ❌ Not compiled, not linked

MiniZip is bundled in zlib/contrib/minizip/ but Skia's BUILD.gn excludes it. CVEs mentioning unzip.c, zip.c, ioapi.c, or functions like unzOpen/zipOpen are false positives.

Evidence:

externals/skia/third_party/zlib/BUILD.gn lists only core zlib sources
No MiniZip includes: grep -r "minizip\|unzip\.h" externals/skia/src/ returns nothing

Core zlib IS used — CVEs affecting deflate/inflate/adler32/crc32 DO apply.

FreeType's Bundled zlib

FreeType has its own zlib copy at freetype/src/gzip/. When checking zlib CVEs:

Check if it affects FreeType's bundled copy (different version)
Core Skia zlib and FreeType zlib are separate

security-audit — Find CVEs, verify fixes, generate reports
native-dependency-update — Update dependencies, create PRs

SkiaSharp Native Dependencies

SkiaSharp Native Dependencies

Contents

Active Dependencies

Security-Relevant (process untrusted input)

GPU/Graphics

Supporting

cgmanifest.json

Name Mapping

Skia — Special CVE Tracking Notes

How to Query Skia CVEs

cgmanifest.json Fields

When to Update

Skia-Specific False Positives

Known False Positives

MiniZip (in zlib) — NOT USED

FreeType's Bundled zlib

Related Skills