SNOW-1050372: Potential System.Private.Uri 4.3.0 Issue

[erickim007]

Hi team,

My name is Eric Kim and I am one of solution architects working with software engineers. It came to my attention that Snowflake .net connector may be brining System.Private.Uri 4.3.0 which is subjected to security vulnerability.

My team investigated this possibility and it looks like Snowflake .Net connector depends on System.Text.RegularExpressions 4.3.1 which I know is likely rely upon System.Runtime 4.3.1.

I believe that System.runtime also brings in System.Private.Uri 4.3.0 whereby if you containerize and package it, even tough the assembly may not get used would be picked up by automatic container scanner in an enterprise.

Would you mind looking into this issue, please?

[sfc-gh-dszmolka]

hello Eric and thank you for drawing our attention to this issue ! We'll take a look. I found CVE-2019-0980, CVE-2019-0981, CVE-2019-0657 which could potentially play a role here, but if your scanner picked up something else too, do let us know please. Out of curiosity , if you wish to share, which scanner do you use ?

[erickim007]

Hi David

Thank you and spot on CVE you listed.

My tech is under vulnerability monitoring of PRISMA and also under gitlab builtin scanner. Not sure which one picked this up as cybersecurity team is separate team from us for centralised governance.

If you don't mind loop me in progress, that would be great as the cve is very high rated ones that my team is under cyber radar at the moment. Apologies for this asking.

Thank you

Kind regards

Eric

Get Outlook for Androidhttps://aka.ms/AAb9ysg

---

From: David Szmolka @.> Sent: Friday, February 9, 2024 6:43:54 pm To: snowflakedb/snowflake-connector-net @.> Cc: erickim007 @.>; Author @.> Subject: Re: [snowflakedb/snowflake-connector-net] SNOW-1050372: Potential System.Private.Uri 4.3.0 Issue (Issue #863)

hello Eric and thank you for drawing our attention to this issue ! We'll take a look. I found CVE-2019-0980https://github.com/advisories/GHSA-xhfc-gr8f-ffwc, CVE-2019-0981https://github.com/advisories/GHSA-5f2m-466j-3848, CVE-2019-0657https://github.com/advisories/GHSA-x5qj-9vmx-7g6g which could potentially play a role here, but if your scanner picked up something else too, do let us know please. Out of curiosity , if you wish to share, which scanner do you use ?

— Reply to this email directly, view it on GitHubhttps://github.com/snowflakedb/snowflake-connector-net/issues/863#issuecomment-1935532597, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AADLD6KRXWLHBTWUHH3QFPDYSXOUJAVCNFSM6AAAAABDA5YWDWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZVGUZTENJZG4. You are receiving this because you authored the thread.Message ID: @.***>

[sfc-gh-dszmolka]

thank you for sharing the tools your team use ! Of course I'll keep this thread posted with the progress (we try to address security issues on priority)

[sfc-gh-dszmolka]

Per the driver team's investigation, this looks more like a false positive in the scanner than an actual vulnerability, as the .Net System standard library internals are not directly tied to the System.Text.RegularExpressions package. These are set by .Net Core/.Net framework version as described in: https://github.com/dotnet/standard/issues/1786 - also has some comments from dotnet committer how this is more like a false positive.

The System.Text.RegularExpressions Nuget package specifies the minimum version required to use it: and the matching happens within the .Net core itself.

As long as you use newer versions of the runtime, you should not be vulnerable.

[sfc-gh-dszmolka]

closing this issue as it does seem to be a false positive, but if you find this to be incorrect, please comment with the evidence and we'll happy to look into this further.