Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Newtonsoft.Json 9.0.1 has known vulnerability. Can it be updated? #782

Closed
taurit opened this issue Jul 7, 2022 · 6 comments · Fixed by #777
Closed

Newtonsoft.Json 9.0.1 has known vulnerability. Can it be updated? #782

taurit opened this issue Jul 7, 2022 · 6 comments · Fixed by #777
Assignees
@AArnott
Milestone
v3.5

Comments

@taurit
Copy link

taurit commented Jul 7, 2022

Hi!

NBGV tool seems to currently rely on Newtonsoft.Json 9.0.1:

<PackageReference Include="Newtonsoft.Json" Version="9.0.1" />

This version has a known vulnerability reported by some scanners. Here's an alert from WhiteSource/Mend scanner:

WS-2022-0161
Improper Handling of Exceptional Conditions in Newtonsoft.Json. Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults (...)

This vulnerability might not be exploitable in scenario where Nerdbank.GitVersioning is typically used, but nevertheless, it generates alerts and makes it problematic to use in corporate environments ;) Is there any way that this reference could be bumped up to the most recent version? 13.0.1 fixes this problem.
@KalleOlaviNiemitalo
Copy link

Dependabot suggested the same in #777, but that was closed

@taurit
Copy link
Author

taurit commented Jul 7, 2022

Thanks for the link, I see there is no comment in the Pull Request on why it was closed. Maybe it can be re-considered...

@ghost

This comment was marked as off-topic.

Sign in to view
@AArnott
Copy link
Collaborator

AArnott commented Jul 12, 2022

Yes, we should be able to fix this. At least for nbgv.

@AArnott AArnott self-assigned this Jul 12, 2022
@AArnott AArnott added this to the v3.6 milestone Jul 12, 2022
@AArnott AArnott linked a pull request Jul 12, 2022 that will close this issue
Bump Newtonsoft.Json from 9.0.1 to 13.0.1 in /src/NerdBank.GitVersioning #777
Merged
@AArnott AArnott modified the milestones: v3.6, v3.5 Jul 12, 2022
@AArnott
Copy link
Collaborator

AArnott commented Jul 12, 2022

This is fixed in the v3.5 branch and will release to nuget.org soon.

@AArnott AArnott closed this as completed Jul 12, 2022
@taurit
Copy link
Author

taurit commented Jul 13, 2022

Awesome, thanks Andrew!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AArnott AArnott

Labels
None yet
Projects
None yet
Milestone
v3.5
3 participants
@AArnott @taurit @KalleOlaviNiemitalo