Merge pull request 'fix(deps): clear CVE-2025-6965 — pin SQLitePCLRaw bundle to 2.1.12, drop audit suppression' (#460) from fix/458-sqlitepclraw-cve-unsuppress into master
v2-ci / build (push) Successful in 4m28s
v2-ci / unit-tests (push) Failing after 10m45s

This commit was merged in pull request #460.
This commit is contained in:
2026-07-15 08:17:55 -04:00
4 changed files with 21 additions and 20 deletions
+6 -4
View File
@@ -111,10 +111,12 @@ dotnet test tests/Core/ZB.MOM.WW.OtOpcUa.Core.Tests # a single tes
dotnet test --filter "FullyQualifiedName~MyTestClass.MyMethod" # a single test
```
`Directory.Build.props` carries a temporary `NuGetAuditSuppress` for
CVE-2025-6965 / GHSA-2m69-gcr7-jv3q (transitive native `SQLitePCLRaw.lib.e_sqlite3`,
no upstream fix yet) — so restore/build not flagging it is expected; remove the
suppression once a patched bundle ships.
CVE-2025-6965 / GHSA-2m69-gcr7-jv3q (transitive native `SQLitePCLRaw.lib.e_sqlite3`)
is **resolved** — the temporary `NuGetAuditSuppress` was removed once the patched bundle
shipped. `Core.AlarmHistorian` now carries a surgical direct pin of
`SQLitePCLRaw.bundle_e_sqlite3` to `2.1.12` (the first fixed native bundle, embedding the
SQLite 3.50.2+ patch), overriding the `2.1.11` that `Microsoft.Data.Sqlite` pulls
transitively. `dotnet restore`/`build` is clean with the audit active.
Test projects live under `tests/<module>/` (Core, Server, Drivers,
Drivers/Cli, Client, Tooling) — there is no single unit-test project.
-15
View File
@@ -16,21 +16,6 @@
<LangVersion>latest</LangVersion>
</PropertyGroup>
<!--
NuGet audit suppression: CVE-2025-6965 / GHSA-2m69-gcr7-jv3q affects the transitive native
bundle SQLitePCLRaw.lib.e_sqlite3 (advisory range <= 2.1.11), pulled in via
Microsoft.Data.Sqlite 9.0.0 -> SQLitePCLRaw.bundle_e_sqlite3 by Core.AlarmHistorian's
store-and-forward sink. As of 2026-06-20 the maintainer has NOT shipped a patched bundle
(SQLite fixed the underlying flaw upstream in 3.50.2 but no SQLitePCLRaw release embeds it
yet), so there is no package version to bump to. The flaw requires attacker-controlled
pathological aggregate SQL; the sink only issues internal parameterised statements, so the
exposure here is negligible. REMOVE this suppression once SQLitePCLRaw ships a patched native
bundle and bump Microsoft.Data.Sqlite to a release that references it.
-->
<ItemGroup>
<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-2m69-gcr7-jv3q" />
</ItemGroup>
<!--
Wire the custom OTOPCUA0001 analyzer (UnwrappedCapabilityCallAnalyzer) into every project so
the CapabilityInvoker-wrapping rule is enforced tree-wide, not just against the analyzer's own
+9 -1
View File
@@ -51,7 +51,7 @@
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Scripting" Version="4.12.0" />
<PackageVersion Include="Microsoft.CodeAnalysis.CSharp.Workspaces" Version="5.0.0" />
<PackageVersion Include="Microsoft.Data.SqlClient" Version="6.1.1" />
<PackageVersion Include="Microsoft.Data.Sqlite" Version="9.0.0" />
<PackageVersion Include="Microsoft.Data.Sqlite" Version="10.0.7" />
<PackageVersion Include="Microsoft.EntityFrameworkCore" Version="10.0.7" />
<PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.7" />
<PackageVersion Include="Microsoft.EntityFrameworkCore.InMemory" Version="10.0.7" />
@@ -95,6 +95,14 @@
<PackageVersion Include="Serilog.Sinks.Console" Version="6.0.0" />
<PackageVersion Include="Serilog.Sinks.File" Version="7.0.0" />
<PackageVersion Include="Shouldly" Version="4.3.0" />
<!--
Surgical transitive pin: Microsoft.Data.Sqlite pulls SQLitePCLRaw.bundle_e_sqlite3 2.1.11
(native lib.e_sqlite3 2.1.11 — the top of the CVE-2025-6965 / GHSA-2m69-gcr7-jv3q vulnerable
range, <= 2.1.11). 2.1.12 is the first fixed native bundle (embeds the SQLite 3.50.2+ patch).
A direct PackageReference in Core.AlarmHistorian promotes this to the resolved version,
clearing the advisory without CentralPackageTransitivePinningEnabled (which breaks the Roslyn split).
-->
<PackageVersion Include="SQLitePCLRaw.bundle_e_sqlite3" Version="2.1.12" />
<PackageVersion Include="System.CommandLine" Version="2.0.5" />
<PackageVersion Include="System.Data.SqlClient" Version="4.9.0" />
<PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.11.0" />
@@ -13,6 +13,12 @@
<ItemGroup>
<PackageReference Include="Microsoft.Data.Sqlite"/>
<!--
Direct pin of the native SQLite bundle to 2.1.12 (first version outside the
CVE-2025-6965 / GHSA-2m69-gcr7-jv3q range) — overrides the 2.1.11 that
Microsoft.Data.Sqlite pulls transitively. See Directory.Packages.props.
-->
<PackageReference Include="SQLitePCLRaw.bundle_e_sqlite3"/>
<PackageReference Include="Serilog"/>
</ItemGroup>