Antlr4BuildTasks icon indicating copy to clipboard operation
Antlr4BuildTasks copied to clipboard
verified publisher icon kaby76

Transitive Dependency Vulnerability

Open TronActive opened this issue 2 years ago • 3 comments

I am getting a "Transitive dependency Microsoft.NETCore.Platforms 3.1.0 contains vulnerabilities according to Checkmarx" warning on your library for version 12.2.0. Could you investigate/update this?

TronActive avatar May 12 '23 12:05 TronActive

One of the projects in Antlr4BuildTasks includes the old Core3.1 target, among others, all completely unnecessary. https://github.com/kaby76/Antlr4BuildTasks/blob/fead9d489106d2956b9c2825427617aea6c08db2/Antlr4BuildTasks/SharpCompress/SharpCompress.csproj#L9 All targets except the netstandard2.1 should be removed.

kaby76 avatar May 12 '23 12:05 kaby76

I'm seeing another transitive vulnerability, reported by NuGet. Microsoft.Build.Framework v17.2.0 depends on an outdated version of System.Security.Permissions, which has a chain of dependencies that eventually lands on a vulnerable version of System.Drawing.Common. Could this be updated to the latest, v17.7.2?

masonwheeler avatar Oct 29 '23 15:10 masonwheeler

  • Updated the package reference.
  • Added Dependabot updates to help avoid these kinds of problems in the future.
  • Release configuration is now the default for this package.
  • Release 12.4.

kaby76 avatar Oct 31 '23 08:10 kaby76