kaitai_struct_csharp_runtime icon indicating copy to clipboard operation
kaitai_struct_csharp_runtime copied to clipboard

Published 20 hours ago verified publisher icon kaitai-io

KaitaiStruct.Runtime.CSharp v0.10.0 contains indirect vulnerable references

Open Kielek opened this issue 1 year ago • 0 comments

.NET9 will bring extended audit for vulnerable references including all indirect references. It can be replicated also on older versions by compiling projects with following options

    <NuGetAudit>true</NuGetAudit>
    <NuGetAuditMode>all</NuGetAuditMode>
    <NuGetAuditLevel>low</NuGetAuditLevel>

Preparing OTel contrib repository for this, reveals that KaitaiStruct.Runtime.CSharp v0.10.0 brings

  • 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
  • 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj

The issue is valid for all available targets netstandard1.3 and net4.5.

Fix Drop support both for netstandard1.3 and net4.5. Replace it by net6.0 and net462. It should cover all supported .NET versions. If needed, it can be extended also by netstandard2.0. Next step is release never version.

Workaround Manually pin packages to non-vulnerable version.

Kielek avatar Sep 10 '24 11:09 Kielek