search

danielpalme / ReportGenerator

ReportGenerator converts coverage reports generated by coverlet, OpenCover, dotCover, Visual Studio, NCover, Cobertura, JaCoCo, Clover, gcov or lcov into human readable reports in various formats.
https://reportgenerator.io
Apache License 2.0
2.56k stars 279 forks source link

dotnet-reportgenerator-globaltool uses old System.Text.Json and reports CVE-2024-30105 #681

Closed 304NotModified closed 1 month ago

304NotModified commented 1 month ago

Describe the bug When installing the dotnet-reportgenrator-globaltool it uses (indirect) System.Text.Json 8.0.0. This version has CVE-2024-30105. System.Text.Json <= 8.0.3 is unsafe.

System.Text.Json is a dependency of Microsoft.Extensions.Configuration.Json, but there isn't a update of that package.

See also nuget.org https://www.nuget.org/packages/System.Text.Json/#versions-body-tab

image

To Reproduce Run any vulnerability scanner

Solution Update the tool so it uses System.Text.Json 8.0.4

304NotModified commented 1 month ago

@danielpalme Thanks for the swift response, merge and release!

5.3.8 works correctly 🎉