I believe I've tracked it down to the dependency that sqlkata/querybuilder has on System.Collections.Concurrent/4.3.0
System.Collections.Concurrent 4.3.0 (here)
depends on System.Runtime 4.3.0,
which in turn depends on runtime.any.System.Runtime 4.3.0 (if you specify a RuntimeIdentifier like linux-x64),
which in turn depends on a vulnerable package System.Private.Uri 4.3.0.
I'm not certain under what circumstances System.Collections.Concurrent/4.3.0 is needed as of .net6+ but I'd be grateful if someone could have a look to see whether it is still necessary. If it is it would be nice to know of the best way to fix the vulnerability.
Hi,
We're running a sysdig security scan which is reporting two vulnerabilities in system.private.uri/4.3.0 - https://github.com/advisories/GHSA-xhfc-gr8f-ffwc and https://github.com/advisories/GHSA-5f2m-466j-3848
I believe I've tracked it down to the dependency that sqlkata/querybuilder has on System.Collections.Concurrent/4.3.0
System.Collections.Concurrent 4.3.0(here) depends onSystem.Runtime 4.3.0, which in turn depends onruntime.any.System.Runtime 4.3.0(if you specify a RuntimeIdentifier like linux-x64), which in turn depends on a vulnerable packageSystem.Private.Uri 4.3.0.Please also see similar issues https://github.com/dotnet/runtime/issues/86671 and https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2086 for System.Text.Encoding.
I'm not certain under what circumstances System.Collections.Concurrent/4.3.0 is needed as of .net6+ but I'd be grateful if someone could have a look to see whether it is still necessary. If it is it would be nice to know of the best way to fix the vulnerability.
Thanks