Welcome Guest! To enable all features please Login or Register.



NCrunch.Framework transitive dependency vulnerability
#1 Posted : Thursday, September 14, 2023 2:05:11 PM(UTC)
Rank: Advanced Member

Groups: Registered
Joined: 6/17/2012(UTC)
Posts: 503

Thanks: 142 times
Was thanked: 66 time(s) in 64 post(s)
NCrunch.Framework v apparently has a vulnerability in System.Net.Http 4.3.0 via the transitive dependency?

#2 Posted : Thursday, September 14, 2023 11:22:24 PM(UTC)
Rank: NCrunch Developer

Groups: Administrators
Joined: 4/16/2011(UTC)
Posts: 7,015

Thanks: 937 times
Was thanked: 1262 time(s) in 1174 post(s)
I would argue that this is probably a false positive. NCrunch.Framework only has one package reference, which is to System.Collections.NonGeneric.

I expect this is probably being raised because NCrunch.Framework is compiled to target netstandard 1.5, which is done for compatibility with older versions of .NET Core. Running later versions of .NET/.NETCore will automatically roll forward on system packages. This means the only way you'd get a dependency on System.Net.Http 4.3.0 is if you were running on an early version of netcore and referencing the offending package yourself.

Considering the above, I don't think this is a sensible error/warning. Especially considering that NCrunch.Framework contains no network code at all and is basically just a set of attributes.
1 user thanked Remco for this useful post.
GreenMoose on 9/15/2023(UTC)
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

YAF | YAF © 2003-2011, Yet Another Forum.NET
This page was generated in 0.018 seconds.
Trial NCrunch
Take NCrunch for a spin
Do your fingers a favour and supercharge your testing workflow
Free Download