Merge pull request 'fix(deps): clear CVE-2025-6965 — pin SQLitePCLRaw bundle to 2.1.12, drop audit suppression' (#460) from fix/458-sqlitepclraw-cve-unsuppress into master
This commit was merged in pull request #460.
This commit is contained in:
@@ -111,10 +111,12 @@ dotnet test tests/Core/ZB.MOM.WW.OtOpcUa.Core.Tests # a single tes
|
||||
dotnet test --filter "FullyQualifiedName~MyTestClass.MyMethod" # a single test
|
||||
```
|
||||
|
||||
`Directory.Build.props` carries a temporary `NuGetAuditSuppress` for
|
||||
CVE-2025-6965 / GHSA-2m69-gcr7-jv3q (transitive native `SQLitePCLRaw.lib.e_sqlite3`,
|
||||
no upstream fix yet) — so restore/build not flagging it is expected; remove the
|
||||
suppression once a patched bundle ships.
|
||||
CVE-2025-6965 / GHSA-2m69-gcr7-jv3q (transitive native `SQLitePCLRaw.lib.e_sqlite3`)
|
||||
is **resolved** — the temporary `NuGetAuditSuppress` was removed once the patched bundle
|
||||
shipped. `Core.AlarmHistorian` now carries a surgical direct pin of
|
||||
`SQLitePCLRaw.bundle_e_sqlite3` to `2.1.12` (the first fixed native bundle, embedding the
|
||||
SQLite 3.50.2+ patch), overriding the `2.1.11` that `Microsoft.Data.Sqlite` pulls
|
||||
transitively. `dotnet restore`/`build` is clean with the audit active.
|
||||
|
||||
Test projects live under `tests/<module>/` (Core, Server, Drivers,
|
||||
Drivers/Cli, Client, Tooling) — there is no single unit-test project.
|
||||
|
||||
@@ -16,21 +16,6 @@
|
||||
<LangVersion>latest</LangVersion>
|
||||
</PropertyGroup>
|
||||
|
||||
<!--
|
||||
NuGet audit suppression: CVE-2025-6965 / GHSA-2m69-gcr7-jv3q affects the transitive native
|
||||
bundle SQLitePCLRaw.lib.e_sqlite3 (advisory range <= 2.1.11), pulled in via
|
||||
Microsoft.Data.Sqlite 9.0.0 -> SQLitePCLRaw.bundle_e_sqlite3 by Core.AlarmHistorian's
|
||||
store-and-forward sink. As of 2026-06-20 the maintainer has NOT shipped a patched bundle
|
||||
(SQLite fixed the underlying flaw upstream in 3.50.2 but no SQLitePCLRaw release embeds it
|
||||
yet), so there is no package version to bump to. The flaw requires attacker-controlled
|
||||
pathological aggregate SQL; the sink only issues internal parameterised statements, so the
|
||||
exposure here is negligible. REMOVE this suppression once SQLitePCLRaw ships a patched native
|
||||
bundle and bump Microsoft.Data.Sqlite to a release that references it.
|
||||
-->
|
||||
<ItemGroup>
|
||||
<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-2m69-gcr7-jv3q" />
|
||||
</ItemGroup>
|
||||
|
||||
<!--
|
||||
Wire the custom OTOPCUA0001 analyzer (UnwrappedCapabilityCallAnalyzer) into every project so
|
||||
the CapabilityInvoker-wrapping rule is enforced tree-wide, not just against the analyzer's own
|
||||
|
||||
@@ -51,7 +51,7 @@
|
||||
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Scripting" Version="4.12.0" />
|
||||
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="5.0.0" />
|
||||
<PackageVersion Include="Microsoft.Data.SqlClient" Version="6.1.1" />
|
||||
<PackageVersion Include="Microsoft.Data.Sqlite" Version="9.0.0" />
|
||||
<PackageVersion Include="Microsoft.Data.Sqlite" Version="10.0.7" />
|
||||
<PackageVersion Include="Microsoft.EntityFrameworkCore" Version="10.0.7" />
|
||||
<PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.7" />
|
||||
<PackageVersion Include="Microsoft.EntityFrameworkCore.InMemory" Version="10.0.7" />
|
||||
@@ -95,6 +95,14 @@
|
||||
<PackageVersion Include="Serilog.Sinks.Console" Version="6.0.0" />
|
||||
<PackageVersion Include="Serilog.Sinks.File" Version="7.0.0" />
|
||||
<PackageVersion Include="Shouldly" Version="4.3.0" />
|
||||
<!--
|
||||
Surgical transitive pin: Microsoft.Data.Sqlite pulls SQLitePCLRaw.bundle_e_sqlite3 2.1.11
|
||||
(native lib.e_sqlite3 2.1.11 — the top of the CVE-2025-6965 / GHSA-2m69-gcr7-jv3q vulnerable
|
||||
range, <= 2.1.11). 2.1.12 is the first fixed native bundle (embeds the SQLite 3.50.2+ patch).
|
||||
A direct PackageReference in Core.AlarmHistorian promotes this to the resolved version,
|
||||
clearing the advisory without CentralPackageTransitivePinningEnabled (which breaks the Roslyn split).
|
||||
-->
|
||||
<PackageVersion Include="SQLitePCLRaw.bundle_e_sqlite3" Version="2.1.12" />
|
||||
<PackageVersion Include="System.CommandLine" Version="2.0.5" />
|
||||
<PackageVersion Include="System.Data.SqlClient" Version="4.9.0" />
|
||||
<PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.11.0" />
|
||||
|
||||
+6
@@ -13,6 +13,12 @@
|
||||
|
||||
<ItemGroup>
|
||||
<PackageReference Include="Microsoft.Data.Sqlite"/>
|
||||
<!--
|
||||
Direct pin of the native SQLite bundle to 2.1.12 (first version outside the
|
||||
CVE-2025-6965 / GHSA-2m69-gcr7-jv3q range) — overrides the 2.1.11 that
|
||||
Microsoft.Data.Sqlite pulls transitively. See Directory.Packages.props.
|
||||
-->
|
||||
<PackageReference Include="SQLitePCLRaw.bundle_e_sqlite3"/>
|
||||
<PackageReference Include="Serilog"/>
|
||||
</ItemGroup>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user