1

i am running azure pipline with Mend Bolt task to detect old libraries, and i got:

enter image description here

Notice for System.Text.RegularExpressions the existing version is 4.3.1 and the suggested fix is ALSO 4.3.1 but it seems it is not taken in consideration.

PS: my csproj is here

Any help please ?

Thank you in adavance

pfx
  • 20,323
  • 43
  • 37
  • 57
Mohamed
  • 239
  • 1
  • 4
  • 17

1 Answers1

1

Mend has a page about this CVE-2019-0820 issue, explaining when this notice might also be a false positive.

For your situation it is a false positive

  • you are on .NET 6, which is higher than the mentioned vulnerable runtimes (see below) - your WebApp.proj has <TargetFramework>net6.0</TargetFramework>

  • you reference System.Text.RegularExpressions version 4.3.1 or even higher.

From that page:

In case the project has the CVE-2019-0820 reported then if it is actually vulnerable or not depends on the used .NET Core Runtime version.

The vulnerable .NET Core Runtime versions for this CVE are:

  • v1.0 branch: 1.0 - 1.0.16 (exclusive)
  • v1.1 branch: 1.1 - 1.1.13 (exclusive)
  • v2.1 branch: 2.1 - 2.1.11 (exclusive)
  • v2.2 branch: 2.2 - 2.2.5 (exclusive)

If the user is running a higher .NET core version than listed above while using the package version 4.3.1 then they are secured from the vulnerability and they can safely ignore the alert.

pfx
  • 20,323
  • 43
  • 37
  • 57