search

dotnet / SqlClient

Microsoft.Data.SqlClient provides database connectivity to SQL Server for .NET applications.
MIT License
842 stars 281 forks source link

Reference to vulnerable NuGet package System.Formats.Asn1 #2832

Closed DW-MaximV closed 3 weeks ago

DW-MaximV commented 4 weeks ago

Describe the bug

The current version of Microsoft.Data.SqlClient has an (indirect) reference on a vulnerable NuGet package: Microsoft.Data.SqlClient 5.2.2 -> System.Security.Cryptography.Cng 5.0.0 -> System.Formats.Asn1 5.0.0

To reproduce

  1. Create a new netcoreapp3.1 project.
  2. Add a reference to Microsoft.Data.SqlClient
  3. Rundotnet list package --include-transitive --vulnerable

The output shows vulnerable package System.Formats.Asn1 5.0.0

Expected behavior

No deprecated package should be found.

Further technical details

Microsoft.Data.SqlClient version: 5.2.2 .NET target: netcoreapp3.1 SQL Server version: not relevant Operating system: not relevant

Additional context Related to https://github.com/dotnet/SqlClient/issues/2048

ErikEJ commented 4 weeks ago

.NET Core 3.1 is out of support

JRahnama commented 3 weeks ago

@DW-MaximV The minimum .NET version in Microsoft.Data.SqlClient v5.2.2 is .NET 6, so you cannot downgrade to an earlier version. If you insist on using .NET Core 3.1, you will need to use Microsoft.Data.SqlClient v3.1. However, please note that this version has some vulnerabilities, and we were unable to simply bump the major versions of dependencies due to semantic versioning reasons.

DW-MaximV commented 3 weeks ago

@JRahnama OK, I understand.