You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Apparently, there is a reference to System.Drawing.Common version 6.0.0.
Repro steps
Provide the steps required to reproduce the problem:
Take a dependency to the NuGet package and run through governed repository component compliance scan (contact me directly for Microsoft internal scan sample).
Expected behavior
Provide a description of the expected behavior.
Build should be clear of CVE alerts.
Actual behavior
Provide a description of the actual behavior observed.
Possibly do a direct reference to System.Drawing.Common version (8.0.x) from the project taking dependency to Microsoft.Azure.WebJobs.Script.Abstractions. However, I expected build to generate an assembly version conflict so we can generate a matching redirect, but no such version conflict is generated from build, so it is unclear if this workaround will actually mitigate the issue.
Related information
Provide any related information
C# .NET 6.0
The text was updated successfully, but these errors were encountered:
Check for a solution in the Azure portal
When taking a dependency to Microsoft.Azure.WebJobs.Script.Abstractions 1.0.4-preview (latest version in NuGet feed as of today - https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Script.Abstractions/#versions-body-tab ), we are getting alert for this CVE:
Microsoft Security Advisory CVE-2021-24112 | .NET 5 and .NET Core Remote Code Execution Vulnerability #176
dotnet/announcements#176
Investigative information
Apparently, there is a reference to System.Drawing.Common version 6.0.0.
Repro steps
Provide the steps required to reproduce the problem:
Take a dependency to the NuGet package and run through governed repository component compliance scan (contact me directly for Microsoft internal scan sample).
Expected behavior
Provide a description of the expected behavior.
Build should be clear of CVE alerts.
Actual behavior
Provide a description of the actual behavior observed.
CVE-2021-24112 during build component compliance scan
Known workarounds
Provide a description of any known workarounds.
Possibly do a direct reference to System.Drawing.Common version (8.0.x) from the project taking dependency to Microsoft.Azure.WebJobs.Script.Abstractions. However, I expected build to generate an assembly version conflict so we can generate a matching redirect, but no such version conflict is generated from build, so it is unclear if this workaround will actually mitigate the issue.
Related information
Provide any related information
C# .NET 6.0
The text was updated successfully, but these errors were encountered: