i am running azure pipline with Mend Bolt task to detect old libraries, and i got:
Notice for System.Text.RegularExpressions the existing version is 4.3.1 and the suggested fix is ALSO 4.3.1 but it seems it is not taken in consideration.
PS: my csproj is here
Any help please ?
Thank you in adavance
>Solution :
Mend has a page about this CVE-2019-0820 issue, explaining when this notice might also be a false positive.
For your situation it is a false positive
-
you are on .NET 6, which is higher than the mentioned vulnerable runtimes (see below) – your WebApp.proj has
<TargetFramework>net6.0</TargetFramework> -
you reference
System.Text.RegularExpressionsversion 4.3.1 or even higher.
From that page:
In case the project has the
CVE-2019-0820reported then if it is actually vulnerable or not depends on the used .NET Core Runtime version.
The vulnerable .NET Core Runtime versions for this CVE are:
v1.0branch: 1.0 – 1.0.16 (exclusive)v1.1branch: 1.1 – 1.1.13 (exclusive)v2.1branch: 2.1 – 2.1.11 (exclusive)v2.2branch: 2.2 – 2.2.5 (exclusive)
If the user is running a higher .NET core version than listed above while using the package version 4.3.1 then they are secured from the vulnerability and they can safely ignore the alert.