FsCheck
FsCheck copied to clipboard
fscheck
CVE issues from use of old libraries
These have been flagged by synk, not sure if they are fixable, but they are problematic and serious issues.
Looks like old .NET Framework dependencies. Please update to FsCheck v3.x.
https://www.nuget.org/packages/FsCheck/3.0.0-rc3#dependencies-body-tab https://www.nuget.org/packages/FsCheck.xunit/3.0.0-rc3#dependencies-body-tab
Note that you'll end up in a world of pain if you go too far down this rabbit hole though - just because some random xunit assembly touches a net fw assembly does not mean your code does; test assemblies are not part of your deployed prod code attack surface
As such, they should not be included in these scans
Of course, if your actual app code references xunit/fscheck, then you've got bigger problems...
I went ahead and updated to the release candidate, some issues remain, however:
To be fair, I am not using the library directly in my project but as a testing framework, however, I think it is good to let you know that these issues exist.
The point here though is that you're using FsCheck.Xunit, which is a library that you use to hook a property test into xunit via Property
you'll get identical results from using xunit itself directly via Fact
The bottom line here is that the fix is to exclude tests from the scanning as:
- some xunit assemblies have a transitive reference to something that might be bad
- xunit does not actually use those (go look in the xunit repo for people reporting this Issue over there)
Once again: the real answer here is that you need to remove test assemblies from your scans.
There is no direct problem with FsCheck of any Kind
There is an indirect one in Xunit
But the real problem is that you are scanning non production assemblies for vulerabilities