Security Vulnerability in EfCore.TestSupport v5.0.0

[ghosh9691]

Thank you for this library!

Wanted to bring to your notice that due to the inclusion of System.Net.Http v4.3.0 in your library, it is being flagged as a security risk due to this CVE - https://github.com/dotnet/announcements/issues/88. Hopefully, you will be able to resolve this soon.

[ghosh9691]

The recommendation is to update to v4.3.4 of the library. That one does not have any known vulnerabilities

[JonPSmith]

Hi @ghosh9691,

Why do you say that this library contains System.Net.Http? I don't see that in the references.

[ghosh9691]

The xunit.assert v2.4.1 library pulls in System.Net.Http v4.3.0 as a transitive dependency (via NETStandard Library 1.61). This can be resolved by pulling in System.Net.Http 4.3.4 directly in your project. I have also opened an issue with the Xunit team.

[JonPSmith]

Thanks. Can you add a link to the issue you open with the Xunit team, as its better if I update the xunit.assert library

[ghosh9691]

Here's the issue: https://github.com/xunit/xunit/issues/2294. Doesn't look like they will resolve it any time soon. Unfortunately, that means that I will likely need to stop using XUnit. Given the current climate of companies and organizations being constantly hacked, particularly by state-backed hackers, using a software product with identified Critical or High vulnerabilities is starting to become a big issue in the corporate world. Too bad! I really loved your library. Will continue using it for my personal projects. Keep up the good work.

[JonPSmith]

I have subscribed to xunit/xunit#2294 issue, but my recommendation is the the same as they gave you - install the updated System.Net.Http in your system and that will override the version in the NuGet package.

PS. Because this library is in netstandard2.1 then its very likely in lots of NuGet packages. Roll on net6 when lots of libraries will start using netN as their TargetFramework.

[ghosh9691]

Thank you.