dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

build(deps): targeted NuGetAuditSuppress for SQLitePCLRaw advisory GHSA-2m69-gcr7-jv3q (#292)

Browse Source 
The high-sev advisory is on transitive native SQLitePCLRaw.lib.e_sqlite3 2.1.11
(via Microsoft.Data.Sqlite/EFCore.Sqlite). Microsoft.Data.Sqlite.Core 10.0.9 (latest
10.0.x) still references SQLitePCLRaw.core 2.1.11, so a supported-line bump doesn't clear
it; the only patched lib is the SQLitePCLRaw 3.x line, which is an unsupported/risky forced
override under a Data.Sqlite built for 2.1.x. Suppress ONLY this advisory (auditing stays on
for everything else) so the full solution AND the docker in-container restore build cleanly
without the blanket /p:NuGetAudit=false. No version/code change; runtime byte-identical.
Revisit when MS ships a 10.0.x referencing a patched bundle.
This commit is contained in:
Joseph Doherty
2026-06-19 04:52:42 -04:00
parent f08a4d609f
commit ab40534986
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Directory.Packages.props
+23
View File
@@ -88,4 +88,27 @@
<PackageVersion Include="ZB.MOM.WW.Theme" Version="0.3.1" />
</ItemGroup>
<!--
Targeted NuGet audit suppression (NOT a blanket NuGetAudit=false).
GHSA-2m69-gcr7-jv3q (NU1903, high) is on the NATIVE library SQLitePCLRaw.lib.e_sqlite3
2.1.11, pulled in TRANSITIVELY by Microsoft.Data.Sqlite / EntityFrameworkCore.Sqlite.
The current MS-supported package line still references it: Microsoft.Data.Sqlite.Core
10.0.9 (latest 10.0.x as of 2026-06) declares `SQLitePCLRaw.core 2.1.11`, so a version
bump within the supported line does NOT clear it. The only patched native lib is the
SQLitePCLRaw 3.x line — force-overriding the whole SQLitePCLRaw family to 3.x under a
Microsoft.Data.Sqlite built and pinned for 2.1.x is unsupported and runtime-risky for the
entire site-local SQLite layer (S&F buffer, operation tracking, native-alarm state).
Risk assessment: SQLite here is internal, local-only storage on site nodes (+ tests); it is
not an externally-reachable SQL surface for untrusted input, so practical exposure is low.
Suppressing ONLY this advisory (auditing stays ON for everything else) lets the full
solution AND the docker in-container restore build cleanly without the blanket
`/p:NuGetAudit=false` workaround. REVISIT and remove this suppression once Microsoft.Data.Sqlite
ships a 10.0.x that references a patched (3.x) SQLitePCLRaw bundle.
-->
<ItemGroup>
<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-2m69-gcr7-jv3q" />
</ItemGroup>
</Project>