nhibernate-core icon indicating copy to clipboard operation
nhibernate-core copied to clipboard
verified publisher icon nhibernate

Dependencies are reported to contain high vulnerabilities

Open WenningQiu opened this issue 7 months ago • 6 comments

NHibernate (5.5.2) brings on dependencies that are reported to contain high vulnerabilities:

Image

Image

Can we have a new release that moves away from those vulnerable dependencies? According to this Microsoft blog (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/), all that is needed is to release a new version that targets netstandard2.0.

Thanks.

WenningQiu avatar May 15 '25 19:05 WenningQiu

What do you mean? NHibernate already targets netstandard2.0, and not any lower version.

fredericDelaporte avatar May 18 '25 15:05 fredericDelaporte

@fredericDelaporte Sorry, my request should be sent to Antlr3.Runtime and Iesi.Collections which are used by NHibernate.

WenningQiu avatar May 19 '25 13:05 WenningQiu

It appears that Antlr3 had been replaced by Antlr4 long time ago, and even Antlr4 does not appear to be actively maintained - no one responds to a similar request (https://github.com/tunnelvisionlabs/antlr4cs/issues/382) there. In fact, https://github.com/tunnelvisionlabs/antlr4cs/issues/381 recommended end users to be migrated to Antlr4.Runtime.Standard.

Will NHibernate review those dead dependencies?

WenningQiu avatar May 19 '25 13:05 WenningQiu

Migrating from v3 to v4 seems to be no trivial task, and that would be a prerequisite for migrating to maintained Antlr versions. It would need a contributor available to do this and sufficiently knowledgeable about Antlr. I do not think we currently have one.

Anyway, does really theses vulnerable dependencies ends-up in an actual NHibernate deployment? If yes, we may add a forced dependency on patched versions of the vulnerable dependencies. But affected applications could do so themselves.

fredericDelaporte avatar May 19 '25 17:05 fredericDelaporte

I believe the vulnerable dependencies are included in application deployment, but not sure if they actually get used at runtime; however, they show up on security scanning reports and pressures are put on our dev teams.

Forced dependency is one of the solutions mentioned in the MS blog I sent, although not an ideal one. But if we go with forced dependency as a temporary mitigation, it might be better off be done close to the source of vulnerabilities than in applications.

WenningQiu avatar May 19 '25 19:05 WenningQiu

The latest version of Iesi.Collections already defines target frameworks which fix the dependency issue. NHibernate should update its dependency to Iesi.Collections, but until then you can reference the latest version of Iesi.Collections directly.

For Antlr3.Runtime you can reference the latest version of NETStandard.Library to remove the unneeded dependencies.

cremor avatar May 26 '25 07:05 cremor