sungam3r
commented
1 year ago Rel: DbUp/DbUp#404
Closed mschaefer-gresham closed 3 months ago
sungam3r
commented
1 year ago Rel: DbUp/DbUp#404
sungam3r
commented
1 year ago I see no references to System.Drawing.Common. Please reopen with additional info if any.
paleocomburo
commented
1 year ago It's not a direct inclusion, but an transient one. dbup-mysql 5.0.37 uses MySql.Data 8.0.33, which uses System.Threading.Tasks.Extensions 4.5.4, which uses System.Drawing.Common 4.7.0.
There is a work-around: reference a newer version of System.Drawing.Common in your application. That seems to satisfy my scanner at least. You could also consider referencing a newer version in the dbup-mysql library. But ultimately it should be fixed in the MySql.Data.
mjauernig
commented
12 months ago Would MySql.Data 8.2.0 fix this?
paleocomburo
commented
12 months ago Doesn't look like it:
$ cat .\ConsoleApp1.csproj
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net7.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="MySql.Data" Version="8.2.0" />
</ItemGroup>
</Project>
$ dotnet list package --vulnerable --include-transitive
The following sources were used:
https://api.nuget.org/v3/index.json
https://pkgs.dev.azure.com/kpn/_packaging/iTV-Nuget/nuget/v3/index.json
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\
Project `ConsoleApp1` has the following vulnerable packages
[net7.0]:
Transitive Package Resolved Severity Advisory URL
> System.Drawing.Common 4.7.0 Critical https://github.com/advisories/GHSA-rxg9-xrhp-64gj
droyad
commented
3 months ago All dependencies have been updated in #15
Please fix this security vulnerability.