[FP]: System.Data.SqlClient 4.8.6 for other frameworks than netstandard1.3
echalone opened this issue · comments
Package URl
pkg:nuget/System.Data.SqlClient@4.8.6
CPE
cpe:2.3:a::System.Data.SqlClient:4.8.6:::::::
CVE
ODC Integration
None
ODC Version
9.0.9
Description
This CVE pops up again because according to this website: https://ossindex.sonatype.org/vulnerability/CVE-2024-0056
"The Sonatype security research team discovered that this vulnerability is still present in versions >= 4.8.6 of System.Data.SqlClient
for users of the netstandard1.3
framework for both Windows and Unix."
However, we are using .NET 6 for the project which includes the netstandard2.1 framework version of this library, which is no longer impacted by this vulnerability. Shouldn't the dependency check be able to detect this or am I getting something wrong here and as soon as there's any vulnerability for this version (even if in another framework) it will scream?
Nuget Coordinates
dotnet add package System.Data.SqlClient --version 4.8.6
Suppression rule:
<suppress base="true">
<notes><![CDATA[
FP per issue #6465
]]></notes>
<packageUrl regex="true">^pkg:nuget/System\.Data\.SqlClient@.*$</packageUrl>
<cpe>cpe:/a:*:System.Data.SqlClient</cpe>
</suppress>
Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7885203639