You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I set up a test DotNetCore project with a non-vulnerable version of Log4Net (20.0.12). When I run DevAudit against that csproj file, I get the following message in the console:
"Package": {
"pm": "nuget",
"group": null,
"name": "log4net", "version": "2.0.9",
"vendor": null
},
"Vulnerabilities": [{
"id": "c4ac70fa-d3ce-4153-b4e9-e1a9d193be8c",
"title": "[CVE-2018-1285] Apache log4net before 2.0.8 does not disable XML external entities when parsing ...",
"description": "Apache log4net before 2.0.8 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.",
"cvssScore": "9.8",
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe": null,
"reference": "https://ossindex.sonatype.org/vulnerability/c4ac70fa-d3ce-4153-b4e9-e1a9d193be8c?component-type=nuget&component-name=log4net&utm_source=devaudit&utm_medium=integration&utm_content=3.4"
}
]
It looks like it's reporting the lower version vulnerability even though the version in the project is not vulnerable. I included my csproj file and output.
Running log4net 20.0.12 directly against the OssIndex API returns the expected result.
[
{
"coordinates": "pkg:nuget/log4net@20.0.12",
"description": "log4net is a tool to help the programmer output log statements to a variety of output targets. log4net is a port of the excellent log4j framework to the .NET runtime",
"reference": "https://ossindex.sonatype.org/component/pkg:nuget/log4net@20.0.12?utm_source=mozilla&utm_medium=integration&utm_content=5.0",
"vulnerabilities": []
}
]
The text was updated successfully, but these errors were encountered:
This is interesting.
I set up a test DotNetCore project with a non-vulnerable version of Log4Net (20.0.12). When I run DevAudit against that csproj file, I get the following message in the console:
I also get the following in the output
It looks like it's reporting the lower version vulnerability even though the version in the project is not vulnerable. I included my csproj file and output.
sca_dotnet_test.zip
Running log4net 20.0.12 directly against the OssIndex API returns the expected result.
[
{
"coordinates": "pkg:nuget/log4net@20.0.12",
"description": "log4net is a tool to help the programmer output log statements to a variety of output targets. log4net is a port of the excellent log4j framework to the .NET runtime",
"reference": "https://ossindex.sonatype.org/component/pkg:nuget/log4net@20.0.12?utm_source=mozilla&utm_medium=integration&utm_content=5.0",
"vulnerabilities": []
}
]
The text was updated successfully, but these errors were encountered: