StrongGrid icon indicating copy to clipboard operation
StrongGrid copied to clipboard
verified publisher icon Jericho

Vulnerabilities Detected

Open drma-tech opened this issue 1 year ago • 11 comments

image

drma-tech avatar Mar 19 '24 16:03 drma-tech

StrongGrid does not take a direct dependency on any of the three packages on the screenshot you provided. Maybe one of our dependencies does? But which one????

Jericho avatar Mar 19 '24 19:03 Jericho

I know that Pathoschild.Http.FluentClient is referencing System.Net.Http but only if your project is using .netstandard1.3. Does that seem right to you? Is you project targeting .net standard1.x? If so, can you upgrade to a more recent .net? That's probably to easiest and fastest way of getting rid of the vulnarable System.Net.Http reference.

I have no idea where the other two references are coming from though.

Jericho avatar Mar 19 '24 19:03 Jericho

oh and by the way, what lead you to conclude that these dependencies came from StrongGrid in the first place?

Jericho avatar Mar 19 '24 19:03 Jericho

image image image

drma-tech avatar Mar 19 '24 19:03 drma-tech

If you open it with Visual Studio, you can easily see this, including where the references come from.

drma-tech avatar Mar 19 '24 19:03 drma-tech

"Transitively referenced by StrongGrid" this pretty much confirms what I said: we don't directly reference any of these packages, but some of our references do.

Like I said, I have a pretty good idea where the System.Net.Http reference comes from but no idea about the other two. And further more, the vulnerable System.Net.Http is used only when you target netstandard1.x Does this apply to your situation? Any chance you can upgrade your platform target(s)?

Jericho avatar Mar 19 '24 19:03 Jericho

As it turns out, all three references are being pulled in by our dependency on Pathoschild.Http.FluentClient:

image

Jericho avatar Mar 19 '24 19:03 Jericho

im using .net 8.0. not sure if is using this netstandard

drma-tech avatar Mar 19 '24 19:03 drma-tech

so, its just notify the owner of this component

drma-tech avatar Mar 19 '24 19:03 drma-tech

When I open the FluentHttp project in Visual Studio and look at their dependencies, I see this:

image

So, while the author of the FluentHttp project might be able to fix the System.Net.Http reference (by dropping support for netstandard1.x, I presume), the other two are being pulled in by even further upstream dependencies.

Jericho avatar Mar 19 '24 19:03 Jericho

Turns out, I was wrong about one specific detail: the FluentHttpClient project is already referencing the patched System.Net.Http package (which is version 4.3.4) as evidenced by:

image

So they may have to go upstream to get this transitive reference upgraded.

Jericho avatar Mar 19 '24 19:03 Jericho

FluentHttpClient version 4.4.0 has been released. Upgrading our reference to this new release resolves this warning.

Jericho avatar May 25 '24 13:05 Jericho

:tada: This issue has been resolved in version 0.108.0 :tada:

The release is available on:

Your GitReleaseManager bot :package::rocket:

Jericho avatar May 26 '24 13:05 Jericho