querybuilder icon indicating copy to clipboard operation
querybuilder copied to clipboard
verified publisher icon sqlkata

Vulnerability in System.Private.Uri as result of dependency on System.Collections.Concurrent/4.3.0

Open AnyFlippingUsernameWillDo opened this issue 2 years ago • 0 comments

Hi,

We're running a sysdig security scan which is reporting two vulnerabilities in system.private.uri/4.3.0 - https://github.com/advisories/GHSA-xhfc-gr8f-ffwc and https://github.com/advisories/GHSA-5f2m-466j-3848

I believe I've tracked it down to the dependency that sqlkata/querybuilder has on System.Collections.Concurrent/4.3.0

System.Collections.Concurrent 4.3.0 (here) depends on System.Runtime 4.3.0, which in turn depends on runtime.any.System.Runtime 4.3.0 (if you specify a RuntimeIdentifier like linux-x64), which in turn depends on a vulnerable package System.Private.Uri 4.3.0.

Please also see similar issues https://github.com/dotnet/runtime/issues/86671 and https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2086 for System.Text.Encoding.

I'm not certain under what circumstances System.Collections.Concurrent/4.3.0 is needed as of .net6+ but I'd be grateful if someone could have a look to see whether it is still necessary. If it is it would be nice to know of the best way to fix the vulnerability.

Thanks

AnyFlippingUsernameWillDo avatar Aug 04 '23 00:08 AnyFlippingUsernameWillDo