Open christopher-gill opened 5 years ago
Hi,
I've just tested this with the latest release 5.2.0 and it still seems to be happening.
Note I've downloaded the bintray version
Using 5.2.0 I just ran:
dotnet add package HangFire.SqlServer --version 1.7.5
dotnet publish
dependency-check.sh -s . -o reports
The only identifier is the package-url (i.e. no CPE was identified):
pkg:nuget/HangFire.SqlServer@1.7.5 (Confidence:Highest)
How is your project setup?
We're using Hangfire.SqlServer.1.6.19
MD5: 3eefc49896999c2fb081ccbb3997557e SHA1: 654bb005fc6a1968a78a6d5354406a46f6ace8c3 SHA256:1730229e234c85445ea7ee795dfda9e77d01c8a179d0053772162fb277297bf8 Evidence Identifiers
cpe:2.3:a:sqlserver_project:sqlserver:1.6.19:*:*:*:*:*:*:* (Confidence:High)
Published Vulnerabilities
CVE-2017-16055
sqlserver
was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
CWE-200 Information Exposure
CVSSv2:
Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSSv3:
Base Score: HIGH (7.5)
Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
That I understand - what I meant is are you dotnet core, msbuild, etc. What is your actual build tools and dependency management system? For example looking at https://www.nuget.org/packages/Hangfire.SqlServer/ they list package manager, .net cli, package reference, or paket cli.
We're using .net 4.5, msbuild & nuget for our package managment system
False positive:
Detecting this library as a node package. Possibly the same as reported in https://github.com/jeremylong/DependencyCheck/issues/1388