search

microsoft / DacFx

DacFx, SqlPackage, and other SQL development libraries enable declarative database development and database portability across SQL versions and environments. Share feedback here on dacpacs, bacpacs, and SQL projects.
https://aka.ms/sqlpackage-ref
MIT License
362 stars 21 forks source link

sqlpackage is still susceptible to the "fixed" dotnet vulns #522

Closed marlenkassym closed 4 days ago

marlenkassym commented 2 weeks ago

Steps to Reproduce:

  1. Install the above version of sqlpackage
  2. Run Defender for Cloud vulnerability scanner

Did this occur in prior versions? If not - which version(s) did it work in?

(DacFx/SqlPackage/SSMS/Azure Data Studio)

CVE-2024-43484 and CVE-2024-43485 are still being detected by DfC for sqlpackage 162.4.92.3, despite being fixed in .NET Core versions 8.0.1 and 8.0.5 respectively. Can advice be given whether it is a false positive or a bug planned to be addressed? Thanks.

Evidence /usr/share/sqlpackage/sqlpackage.deps.json

llali commented 2 weeks ago

@marlenkassym this is fixed in 162.5, you can verify it in version 162.5.46-preview