Comments (4)
svick
commented on June 30, 2024
2
A .Net Standard library is not used on its own, it's used as a part of some application. And an application will generally use an implementation of .Net Standard that comes from the framework it uses. So it shouldn't matter if the library depends on an insecure version of System.Text.RegularExpressions, because the application will actually use a secure version of System.Text.RegularExpressions (assuming it's running on an up-to-date version of .Net Framework, .Net Core or .Net).
Because of that, I think the report of a vulnerability that's affecting your code is effectively a false positive.
(Note that I don't work for Microsoft and that I don't speak in any official capacity. If you still believe that a security vulnerability exists here, I think you should follow the .Net Core security policy to report it directly to Microsoft's security team, especially considering it's now a vacation season.)
from standard.
ericstj
commented on June 30, 2024
1
System.Text.RegularExpressions never applies a vulnerable binary on .NETFramework. It applies a facade dll that typeforwards to System.dll where all this code lives. The facade dll is not vulnerable as it does not contain the code. System.Text.RegularExpressions also does not apply its binary on .NETCore2.0 and later. There the implementation is provided by the shared framework. This package only exists for delivering the implementation to older frameworks (.netcore1.x), which are now out of support.
In general we don't churn the entire package ecosystem when a single package is updated. If you'd like to update your package reference to suppress this false positive from a validation tool you may. This wouldn't be much different than if we shipped a new version of NETStandard.Library, you'd still need all the packages that referenced the old version to update to a new one.
from standard.
rathnagiri
commented on June 30, 2024
As mentioned earlier microsoft has already fixed in core as per below commit: dotnet/corefx@19d4b11.
While you are right that if an up-to-date version of .net framework/core is installed, the host application would load the latest secure version, but this would not be the case if servers not up-to-date or as pointed out by microsoft in the case of pinned applications to a specific version. Thats because i think, the minimum dependency version of System.Text.RegularExpressions specified by net standard is still pointing to the insecured version of 4.3.0 as per the dependency file. By incrementing it to 4.3.1, we could eliminate the possibility of using the older insecured version.
from standard.
pnguyen2021
commented on June 30, 2024
System.Text.RegularExpressions v4.3.1 is also flagged as well! It is the latest version available that I could see.
from standard.
Related Issues (20)
- Build issues when referencing project that targets multiple frameworks C# WPF HOT 1
- Questions about tagging within this repository / future versions HOT 1
- System.Drawing.Printing.PrinterSettings slow HOT 1
- Support with Universal Windows Platform HOT 2
- How to build .NET Standard based library for ARM architecture HOT 6
- Update docs to reflect the status of .NET Standard in 2020 HOT 2
- [BUG] [UWP] GetManifestResourceInfo doesn't work on UWP HOT 3
- Value Tuple Could not load file or assembly 'System.ValueTuple, Version=4.0.1.0, HOT 1
- mono and .NET5+ HOT 8
- Issue with resolving between .NET Standard 2.0 and .NET Standard 2.1 HOT 3
- Class ValueTask has different definitions between .Net Standard 2.1 and .Net 5 HOT 1
- Strong name signature not valid HOT 5
- Assembly version for DispatchProxy shim is too low resulting in duplicate types for DispatchProxy HOT 10
- linq using GetValueOrDefault in Where clause problem HOT 3
- DbCommand.ExecuteReaderAsync throws TaskCanceledException with wrong CancellationToken HOT 2
- [Feature Request] Allow Static Method In Interface HOT 3
- [question] Will Garbage Collector Collect Memebers, When Object Is Casted To Parent Type, That Is Now Inaccessible On The Type Of Reference? HOT 2
- [Feature Request] Support for MultiSet & MultiMap in System.Collections.Generic HOT 3
- Support of 'IAsyncComparer' for Linq operations. HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from standard.