Vulnerability issue due to Google.Protobuf (CVE-2021-22570)

SonarSource / sonar-dotnet

Code analyzer for C# and VB.NET projects

https://redirect.sonarsource.com/plugins/csharp.html

GNU Lesser General Public License v3.0

797 stars 229 forks source link

Vulnerability issue due to Google.Protobuf (CVE-2021-22570) #9660

Closed AdaskoTheBeAsT closed 2 months ago

AdaskoTheBeAsT commented 2 months ago

Hi,

could you please upgrade dependency to Google.Protobuf to latest one

due to https://www.mend.io/vulnerability-database/CVE-2021-22570

unfortunatelly it is reported by Mend

pavel-mikula-sonarsource commented 2 months ago

Hi @AdaskoTheBeAsT,

We can not, unfortunately, because the new version does not work well on .NET Framework environments, causing the analysis (build time) to slowdown by dozens of minutes, or hours in some cases.

The CVE finding in our analyzer is a False Positive, because the analyzer doesn't deserialize any protobuf files. So you are not at any risk.