Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dotnet-reportgenerator-globaltool uses old System.Text.Encodings.Web 5.0.20 and reports CVE-2021-26701 #503

Closed
Duranom opened this issue Mar 21, 2022 · 3 comments
Closed

dotnet-reportgenerator-globaltool uses old System.Text.Encodings.Web 5.0.20 and reports CVE-2021-26701 #503

Duranom opened this issue Mar 21, 2022 · 3 comments
Labels
bug

Comments

@Duranom
Copy link

Duranom commented Mar 21, 2022

Describe the bug
When installing the dotnet-reportgenrator-globaltool it uses System.Text.encodings.Web.dll for the .net core 3.1
However the version supplied is 5.0.20.51904 (nuget package version 5.0.0)
This results in vulnerability scanners like Nexus to report a CVE CVE-2021-26701 vulnerability found.
If possible the package version 5.0.1 should be used for .net core 3.1

(Old issue: #436 )

To Reproduce

  1. Download or install package from: https://www.nuget.org/packages/dotnet-reportgenerator-globaltool/5.1.2
  2. Run any vulnerability scanner on the location of the tool
  3. For windows this is: %USERPROFILE%.dotnet\tools.store\dotnet-reportgenerator-globaltool
  4. For linux this is: $HOME/.dotnet/tools

** Why is this an issue: **
The policy in the company is that all used code and tools should be free of vulnerabilities or under proven good reasons excluded.
However if it can be resolved through own measures, or at the source, a request or action should be undertaken and should be reviewed every few weeks.

** Workaround **
We can temporarily exclude it in our list or override the library after installing, the latter requiring more rights.
@Duranom Duranom changed the title dotnet-reportgenerator-globaltool has old System.Textd.Encodings.Web 5.0.20 dotnet-reportgenerator-globaltool uses old System.Textd.Encodings.Web 5.0.20 and reports CVE-2021-26701 Mar 21, 2022
@Duranom Duranom changed the title dotnet-reportgenerator-globaltool uses old System.Textd.Encodings.Web 5.0.20 and reports CVE-2021-26701 dotnet-reportgenerator-globaltool uses old System.Text.Encodings.Web 5.0.20 and reports CVE-2021-26701 Mar 21, 2022
@danielpalme
Copy link
Owner

Please update to v5.1.3. I fixed the problem in that new release.

@AraHaan
Copy link

AraHaan commented Apr 9, 2022

@danielpalme is it perhaps possible to have the generator support opencover format xml files (which is generated by msbuild) and also generate the html when testing is complete automatically as well?

I basically want to be able to see the coverage in html where fully covered is green, uncovered is red, and half covered (branch) is yellow, but to have it generated by dotnet test and not be forced to invoke the tool itself.

@danielpalme
Copy link
Owner

ReportGenerator supports coverage files in OpenCover format.

Maybe this extension for Visual Studio solves you other request: https://github.com/the-dext/RunCoverletReport

Another option is that you create a litte bat file with the following content:

dotnet test --collect:"XPlat Code Coverage"

"%UserProfile%\.nuget\packages\reportgenerator\5.1.4\tools\net6.0\ReportGenerator.exe" -reports:*\TestResults\*\coverage.opencover.xml -reporttypes:Html -targetdir:coveragereport

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@danielpalme @Duranom @AraHaan