StarkbankEcdsa.dll has file and assembly version of 1.0.0 in v 1.3.3

[cg110]

I was checking we'd updated to the latest nuget version, and found that the dlls have Product and File version of 1.0.0.0 in their properties in both 1.3.1 and 1.3.3.

I suspect that a Version is needed in the .csproj so that the file version is set correctly. (probably keeping assembly version at 1.3.0.0, or whatever version is appropriate for the api)

[massaru-stark]

Hey Chris,

We've just merged a PR updating the .csproj with the VersionPrefix tag and we'll make it available on the next release.

Is this currently causing any issues on your side? If it is, we can publish a new "empty" version to fix the issue. Otherwise, we will wait for the next feature/fix to publish the package with the new tag.

Thanks for the feedback!

[cg110]

Hi,

I've no desperate need, it was more with the vulnerability in 1.3.1 being flagged in various places, I was checking the dll version and found after updating to 1.3.3 it was 1.0.0, so fell back to checking the file size (1.3.3 is bit bigger), I can see it being awkward for security tools/scanners though.

It also depends on if the dll is put in anyone's msi installer, as it might not be upgraded if the version number is the same. (But that does depend on how the .msi was created, and what mode upgrade runs in)

Thanks, Chris

[massaru-stark]

That makes sense. We'll keep monitoring this issue then, and if it is causing any major disturbances, we'll expedite the new release.

Thank you for your input!

Best, Felipe

[MartinWa]

Hi!

I have an issue reported on the DLL via a Sonatype Nexus scan. The vulnerability is https://nvd.nist.gov/vuln/detail/CVE-2021-43569. I think this has been resolved in 1.3.2 (https://github.com/starkbank/ecdsa-dotnet/releases/tag/v1.3.2) but because the version of the DLL is not correct (it is 1.0.0 even for v 1.3.3) the tool reports this as open.

[hamjo]

This is also causing me some issues. Our software composition analysis tool reports this NuGet package's version 1.3.3 as vulnerability since the file version is not set correctly. Releasing a new version would help me greatly.

[StickNitro]

Any update on when this will get releases, this is flagging up on my BlackDuck scans as a vulnerable transitive dependency even though I have the correct version 1.3.3 referenced in the projects?