dohertj2/lmxopcua
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
3cc6a5f30dc3a5761f66594e779f8bfc34a97db6
lmxopcua/Directory.Build.props
T
Joseph Doherty 3cc6a5f30d build: suppress NU1903 for CVE-2025-6965 (SQLitePCLRaw, no upstream fix) 
Transitive native bundle SQLitePCLRaw.lib.e_sqlite3 (via Microsoft.Data.Sqlite ->
Core.AlarmHistorian) is flagged by GHSA-2m69-gcr7-jv3q with no patched package yet
published. Add the documented NuGetAuditSuppress so the solution restores/builds;
remove once a patched SQLitePCLRaw bundle ships. Incidental to the code-review pass.
2026-06-20 22:43:15 -04:00

34 lines
1.7 KiB
XML
Raw Blame History

<Project>
<!--
Defaults inherited by every csproj. Individual projects may override.
Deviation from the original v2 plan: TreatWarningsAsErrors is NOT set globally because the
pre-v2 test projects (e.g. Admin.Tests) carry 240+ xUnit1051 analyzer warnings that would
fail the build. New v2 projects (Commons, Cluster, ControlPlane, Runtime, OpcUaServer, AdminUI,
Host, Security) MUST opt in to <TreatWarningsAsErrors>true</TreatWarningsAsErrors> in their
own csproj. Once the legacy Admin/Server projects are deleted (Phase 10, Task 56), this can
be promoted back to a global default.
-->
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
<Nullable>enable</Nullable>
<ImplicitUsings>enable</ImplicitUsings>
<LangVersion>latest</LangVersion>
</PropertyGroup>
<!--
NuGet audit suppression: CVE-2025-6965 / GHSA-2m69-gcr7-jv3q affects the transitive native
bundle SQLitePCLRaw.lib.e_sqlite3 (advisory range <= 2.1.11), pulled in via
Microsoft.Data.Sqlite 9.0.0 -> SQLitePCLRaw.bundle_e_sqlite3 by Core.AlarmHistorian's
store-and-forward sink. As of 2026-06-20 the maintainer has NOT shipped a patched bundle
(SQLite fixed the underlying flaw upstream in 3.50.2 but no SQLitePCLRaw release embeds it
yet), so there is no package version to bump to. The flaw requires attacker-controlled
pathological aggregate SQL; the sink only issues internal parameterised statements, so the
exposure here is negligible. REMOVE this suppression once SQLitePCLRaw ships a patched native
bundle and bump Microsoft.Data.Sqlite to a release that references it.
-->
<ItemGroup>
<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-2m69-gcr7-jv3q" />
</ItemGroup>
</Project>
Reference in New Issue View Git Blame Copy Permalink