[FP]: System.Data.SqlClient 4.8.6 for other frameworks than netstandard1.3

Question

[FP]: System.Data.SqlClient 4.8.6 for other frameworks than netstandard1.3

echalone opened this issue 3 months ago · comments

Markus Szumovski commented 3 months ago

Package URl

pkg:nuget/System.Data.SqlClient@4.8.6

CPE

cpe:2.3:a::System.Data.SqlClient:4.8.6:::::::

CVE

CVE-2024-0056

ODC Integration

None

ODC Version

9.0.9

Description

This CVE pops up again because according to this website: https://ossindex.sonatype.org/vulnerability/CVE-2024-0056
"The Sonatype security research team discovered that this vulnerability is still present in versions >= 4.8.6 of System.Data.SqlClient for users of the netstandard1.3 framework for both Windows and Unix."
However, we are using .NET 6 for the project which includes the netstandard2.1 framework version of this library, which is no longer impacted by this vulnerability. Shouldn't the dependency check be able to detect this or am I getting something wrong here and as soon as there's any vulnerability for this version (even if in another framework) it will scream?

github-actions · Answer 1 · Tue Feb 13 2024 18:36:48 GMT+0800 (China Standard Time)

Nuget Coordinates

dotnet add package System.Data.SqlClient --version 4.8.6

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6465
   ]]></notes>
   <packageUrl regex="true">^pkg:nuget/System\.Data\.SqlClient@.*$</packageUrl>
   <cpe>cpe:/a:*:System.Data.SqlClient</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7885203639