fix(deps): clear CVE-2025-6965 — pin SQLitePCLRaw bundle to 2.1.12, drop audit suppression
The patched native SQLite bundle shipped: SQLitePCLRaw.bundle_e_sqlite3 2.1.12 is the first version outside the CVE-2025-6965 / GHSA-2m69-gcr7-jv3q vulnerable range (<= 2.1.11), embedding the SQLite 3.50.2+ fix. - Bump Microsoft.Data.Sqlite 9.0.0 -> 10.0.7 (aligns with the EF Core 10.0.7 family). This alone still pulls the native bundle 2.1.11, so: - Add a surgical direct pin of SQLitePCLRaw.bundle_e_sqlite3 2.1.12 in Core.AlarmHistorian (the sole consumer), overriding the transitive 2.1.11 without enabling CentralPackageTransitivePinningEnabled (which breaks the Roslyn 5.0/4.12 split). - Remove the temporary NuGetAuditSuppress from Directory.Build.props. Verified: dotnet restore/build clean with audit active (no GHSA-2m69), every in-solution project resolves lib.e_sqlite3 2.1.12, AlarmHistorian tests 29/29 green against the real native bundle. Closes #458
This commit is contained in:
@@ -16,21 +16,6 @@
|
||||
<LangVersion>latest</LangVersion>
|
||||
</PropertyGroup>
|
||||
|
||||
<!--
|
||||
NuGet audit suppression: CVE-2025-6965 / GHSA-2m69-gcr7-jv3q affects the transitive native
|
||||
bundle SQLitePCLRaw.lib.e_sqlite3 (advisory range <= 2.1.11), pulled in via
|
||||
Microsoft.Data.Sqlite 9.0.0 -> SQLitePCLRaw.bundle_e_sqlite3 by Core.AlarmHistorian's
|
||||
store-and-forward sink. As of 2026-06-20 the maintainer has NOT shipped a patched bundle
|
||||
(SQLite fixed the underlying flaw upstream in 3.50.2 but no SQLitePCLRaw release embeds it
|
||||
yet), so there is no package version to bump to. The flaw requires attacker-controlled
|
||||
pathological aggregate SQL; the sink only issues internal parameterised statements, so the
|
||||
exposure here is negligible. REMOVE this suppression once SQLitePCLRaw ships a patched native
|
||||
bundle and bump Microsoft.Data.Sqlite to a release that references it.
|
||||
-->
|
||||
<ItemGroup>
|
||||
<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-2m69-gcr7-jv3q" />
|
||||
</ItemGroup>
|
||||
|
||||
<!--
|
||||
Wire the custom OTOPCUA0001 analyzer (UnwrappedCapabilityCallAnalyzer) into every project so
|
||||
the CapabilityInvoker-wrapping rule is enforced tree-wide, not just against the analyzer's own
|
||||
|
||||
Reference in New Issue
Block a user