# Overview

MicroEJ Add-On Library: `Protobuf3`.

This library implements the Lite version of Google's Protocol Buffer library for Java.
It supports Java files generated by `.proto` files compiled
with [protoc 3.7.1](https://repo.maven.apache.org/maven2/com/google/protobuf/protoc/3.7.1/).

It is recommended to use the newly released `Protobuf4` library.

# Security

6 CVEs have been raised as of March, 3rd 2026.

| CVE            | CVSS       | Status          | Summary                                                  |
|:---------------|------------|-----------------|----------------------------------------------------------|
| CVE-2024-7254  | 8.7 HIGH   | Fixed           | Stack overflow via nested group tags                     |
| CVE-2022-3510  | 5.7 MEDIUM | Fixed           | DoS via extension message parsing                        |
| CVE-2022-3509  | 5.7 MEDIUM | N/A             | Not applicable to MicroEJ Version                        |
| CVE-2021-22569 | 7.5 HIGH   | N/A             | Javalite explicitly exempt                               |
| CVE-2022-3171  | 5.7 MEDIUM | **Not fixable** | DoS via message field merging, in generated code         |
| CVE-2021-22570 | 5.5 MEDIUM | **Not Fixable** | trivial, `protoc` issue when source contains `null` char |

The two CVEs that are not fixable are related to the `protoc` code-generation tool:

- The `CVE-2021-22570` is trivial as the generated code will fail at build-time if the `.proto` file contains `null`
  characters, which should not happen and is the responsibility of the library user.
- **The `CVE-2022-3171` is a Deny-of-Service that cannot be fixed without modifying the generated code.**

**It is thus strongly recommended to migrate to MicroEJ's `Protobuf4` library.**

# Usage

Add the following line to your `build.gradle.kts`:

    implementation("com.google.protobuf3:2.0.0")

Compile your `.proto` files with command line `protoc --java_out=<output_dir> <input_file>`.
**You should use version `3.7.1` of `protoc`.**
Using a more recent version of `protoc` will fail at build-time. Using an older version of `protoc` might cause issues.

**`.proto` files MUST contain the line `option optimize_for = LITE_RUNTIME;`.**
When compiling these files with `protoc`, it will show a warning reading that this option is no longer supported.
This warning should be ignored.

If this library is exposed as Kernel API, the `ProtobufKernel.initialize()` method should be called by the Kernel before
a Feature calls one of the Protobuf APIs.

# Requirements

This library requires the following Foundation Libraries:

- edc 1.3.7

# Dependencies

_All dependencies are retrieved transitively by MicroEJ Module Manager_.

# Source

This library has been forked and adapted
from [Google's Protobuf 3.7.1 library](https://github.com/protocolbuffers/protobuf/releases/tag/v3.7.1).

The version 3.7.1 of `protoc` can be
downloaded [here](https://repo.maven.apache.org/maven2/com/google/protobuf/protoc/3.7.1/).

# Restrictions

This library handles only Java classes generated by the version 3.7.1 of `protoc`.

---  
_Markdown_  
_Copyright 2020-2026 MicroEJ Corp. All rights reserved._  
_This library is provided in source code for use, modification and test, subject to license terms._  
_Any modification of the source code will break MicroEJ Corp. warranties on the whole library._