search

mono / SkiaSharp

SkiaSharp is a cross-platform 2D graphics API for .NET platforms based on Google's Skia Graphics Library. It provides a comprehensive 2D API that can be used across mobile, server and desktop models to render images.
MIT License
4.54k stars 543 forks source link

Vulnerabilities detected in libskiasharp.dll when scanned using Blackduck Binary Scan #2336

Closed Sayeeganesh closed 1 year ago

Sayeeganesh commented 1 year ago

We have below vulnerabilities reported by Blackduck Binary scan. Can you pls check and advise on this?

<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

Component | Version | Latest version | CVE | Matching type | CVSS | Object | CVSS3 | Vulnerability URL | Criticality -- | -- | -- | -- | -- | -- | -- | -- | -- | -- expat |   | 2.5.0 | CVE-2022-25315 | Exact match (timestamp) | 7.5 | libSkiaSharp.dll | 9.8 | http://nvd.nist.gov/vuln/detail/CVE-2022-25315 | Critical expat |   | 2.5.0 | CVE-2022-25236 | Exact match (timestamp) | 7.5 | libSkiaSharp.dll | 9.8 | http://nvd.nist.gov/vuln/detail/CVE-2022-25236 | Critical expat |   | 2.5.0 | CVE-2022-25235 | Exact match (timestamp) | 7.5 | libSkiaSharp.dll | 9.8 | http://nvd.nist.gov/vuln/detail/CVE-2022-25235 | Critical expat |   | 2.5.0 | CVE-2022-23852 | Exact match (timestamp) | 7.5 | libSkiaSharp.dll | 9.8 | http://nvd.nist.gov/vuln/detail/CVE-2022-23852 | Critical expat |   | 2.5.0 | CVE-2022-22824 | Exact match (timestamp) | 7.5 | libSkiaSharp.dll | 9.8 | http://nvd.nist.gov/vuln/detail/CVE-2022-22824 | Critical expat |   | 2.5.0 | CVE-2022-22823 | Exact match (timestamp) | 7.5 | libSkiaSharp.dll | 9.8 | http://nvd.nist.gov/vuln/detail/CVE-2022-22823 | Critical expat |   | 2.5.0 | CVE-2022-22822 | Exact match (timestamp) | 7.5 | libSkiaSharp.dll | 9.8 | http://nvd.nist.gov/vuln/detail/CVE-2022-22822 | Critical expat |   | 2.5.0 | CVE-2022-40674 | Exact match (timestamp) | 0 | libSkiaSharp.dll | 9.8 | http://nvd.nist.gov/vuln/detail/CVE-2022-40674 | Critical zlib | 1.2.11 | 1.2.13 | CVE-2022-37434 | Exact match | 0 | libSkiaSharp.dll | 9.8 | http://nvd.nist.gov/vuln/detail/CVE-2022-37434 | Critical expat |   | 2.5.0 | CVE-2021-45960 | Exact match (timestamp) | 9 | libSkiaSharp.dll | 8.8 | http://nvd.nist.gov/vuln/detail/CVE-2021-45960 | High expat |   | 2.5.0 | CVE-2022-22827 | Exact match (timestamp) | 6.8 | libSkiaSharp.dll | 8.8 | http://nvd.nist.gov/vuln/detail/CVE-2022-22827 | High expat |   | 2.5.0 | CVE-2022-22826 | Exact match (timestamp) | 6.8 | libSkiaSharp.dll | 8.8 | http://nvd.nist.gov/vuln/detail/CVE-2022-22826 | High expat |   | 2.5.0 | CVE-2022-22825 | Exact match (timestamp) | 6.8 | libSkiaSharp.dll | 8.8 | http://nvd.nist.gov/vuln/detail/CVE-2022-22825 | High libjpeg-turbo | 2.0.0 | 2.1.4 | CVE-2020-17541 | Exact match | 6.8 | libSkiaSharp.dll | 8.8 | http://nvd.nist.gov/vuln/detail/CVE-2020-17541 | High expat |   | 2.5.0 | CVE-2021-46143 | Exact match (timestamp) | 6.8 | libSkiaSharp.dll | 7.8 | http://nvd.nist.gov/vuln/detail/CVE-2021-46143 | High expat |   | 2.5.0 | CVE-2022-25314 | Exact match (timestamp) | 5 | libSkiaSharp.dll | 7.5 | http://nvd.nist.gov/vuln/detail/CVE-2022-25314 | High expat |   | 2.5.0 | CVE-2022-23990 | Exact match (timestamp) | 5 | libSkiaSharp.dll | 7.5 | http://nvd.nist.gov/vuln/detail/CVE-2022-23990 | High expat |   | 2.5.0 | CVE-2022-43680 | Exact match (timestamp) | 0 | libSkiaSharp.dll | 7.5 | http://nvd.nist.gov/vuln/detail/CVE-2022-43680 | High zlib | 1.2.11 | 1.2.13 | CVE-2018-25032 | Exact match | 5 | libSkiaSharp.dll | 7.5 | http://nvd.nist.gov/vuln/detail/CVE-2018-25032 | High

jeremy-bridges commented 1 year ago

This came up in our scans too. We'd love to get info on when these dependencies will be updated.

jeremy-bridges commented 1 year ago

As a follow-up, we'd also love to see a Software Bill of Materials (SBOM) maintained in this repository. Something simple is fine. Expat, zlib, libjpeg-turbo listed with their versions is fine. Since NuGet won't show these dependencies, consumers of SkiaSharp cannot discover which components are used in SkiaSharp.

jeremy-bridges commented 1 year ago

Just found cgmanifest.json. It helps to track down some of these. A more readable SBOM would be better.

Sidenote: the commit hash mentioned there for expat (e5aa0a2cb0a5f759ef31c0819dc67d9b14246a4a) doesn't seem to exist in the expat repository. Mistake?

praveenHari24 commented 1 year ago

With the SkiaSharp version 2.88.2 and 2.88.3, we are able to identify the following vulnerabilities. libexpat: https://nvd.nist.gov/vuln/detail/CVE-2022-40674 https://nvd.nist.gov/vuln/detail/CVE-2022-43680

zlib: https://nvd.nist.gov/vuln/detail/CVE-2018-25032 https://nvd.nist.gov/vuln/detail/CVE-2022-37434

Can we expect the next version of SkiaSharp as vulnerability-free? When can we expect the next version?

mattleibow commented 1 year ago

These issues were fixed in the last few versions of skia.