kurtschelfthout
commented
1 month ago Looks like old .NET Framework dependencies. Please update to FsCheck v3.x.
Open kiljoy001 opened 1 month ago
kurtschelfthout
commented
1 month ago Looks like old .NET Framework dependencies. Please update to FsCheck v3.x.
bartelink
commented
1 month ago https://www.nuget.org/packages/FsCheck/3.0.0-rc3#dependencies-body-tab https://www.nuget.org/packages/FsCheck.xunit/3.0.0-rc3#dependencies-body-tab
Note that you'll end up in a world of pain if you go too far down this rabbit hole though - just because some random xunit assembly touches a net fw assembly does not mean your code does; test assemblies are not part of your deployed prod code attack surface
As such, they should not be included in these scans
Of course, if your actual app code references xunit/fscheck, then you've got bigger problems...
kiljoy001
commented
1 month ago I went ahead and updated to the release candidate, some issues remain, however:
To be fair, I am not using the library directly in my project but as a testing framework, however, I think it is good to let you know that these issues exist.
bartelink
commented
1 month ago The point here though is that you're using FsCheck.Xunit, which is a library that you use to hook a property test into xunit via Property
you'll get identical results from using xunit itself directly via Fact
The bottom line here is that the fix is to exclude tests from the scanning as:
Once again: the real answer here is that you need to remove test assemblies from your scans.
There is no direct problem with FsCheck of any Kind
There is an indirect one in Xunit
But the real problem is that you are scanning non production assemblies for vulerabilities
These have been flagged by synk, not sure if they are fixable, but they are problematic and serious issues.