dohertj2/lmxopcua
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

build: suppress NU1903 for CVE-2025-6965 (SQLitePCLRaw, no upstream fix)

Browse Source 
Transitive native bundle SQLitePCLRaw.lib.e_sqlite3 (via Microsoft.Data.Sqlite ->
Core.AlarmHistorian) is flagged by GHSA-2m69-gcr7-jv3q with no patched package yet
published. Add the documented NuGetAuditSuppress so the solution restores/builds;
remove once a patched SQLitePCLRaw bundle ships. Incidental to the code-review pass.
This commit is contained in:
Joseph Doherty
2026-06-20 22:43:15 -04:00
parent 53edcd638b
commit 3cc6a5f30d
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Directory.Build.props
+15
View File
@@ -15,4 +15,19 @@
<ImplicitUsings>enable</ImplicitUsings>
<LangVersion>latest</LangVersion>
</PropertyGroup>
<!--
NuGet audit suppression: CVE-2025-6965 / GHSA-2m69-gcr7-jv3q affects the transitive native
bundle SQLitePCLRaw.lib.e_sqlite3 (advisory range <= 2.1.11), pulled in via
Microsoft.Data.Sqlite 9.0.0 -> SQLitePCLRaw.bundle_e_sqlite3 by Core.AlarmHistorian's
store-and-forward sink. As of 2026-06-20 the maintainer has NOT shipped a patched bundle
(SQLite fixed the underlying flaw upstream in 3.50.2 but no SQLitePCLRaw release embeds it
yet), so there is no package version to bump to. The flaw requires attacker-controlled
pathological aggregate SQL; the sink only issues internal parameterised statements, so the
exposure here is negligible. REMOVE this suppression once SQLitePCLRaw ships a patched native
bundle and bump Microsoft.Data.Sqlite to a release that references it.
-->
<ItemGroup>
<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-2m69-gcr7-jv3q" />
</ItemGroup>
</Project>