You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When installing the dotnet-reportgenrator-globaltool it uses System.Text.encodings.Web.dll for the .net core 3.1
However the version supplied is 5.0.20.51904 (nuget package version 5.0.0)
This results in vulnerability scanners like Nexus to report a CVE CVE-2021-26701 vulnerability found.
If possible the package version 5.0.1 should be used for .net core 3.1
Run any vulnerability scanner on the location of the tool
For windows this is: %USERPROFILE%.dotnet\tools.store\dotnet-reportgenerator-globaltool
For linux this is: $HOME/.dotnet/tools
** Why is this an issue: **
The policy in the company is that all used code and tools should be free of vulnerabilities or under proven good reasons excluded.
However if it can be resolved through own measures, or at the source, a request or action should be undertaken and should be reviewed every few weeks.
** Workaround **
We can temporarily exclude it in our list or override the library after installing, the latter requiring more rights.
The text was updated successfully, but these errors were encountered:
Duranom
changed the title
dotnet-reportgenerator-globaltool has old System.Textd.Encodings.Web 5.0.20
dotnet-reportgenerator-globaltool uses old System.Textd.Encodings.Web 5.0.20 and reports CVE-2021-26701
Mar 21, 2022
Duranom
changed the title
dotnet-reportgenerator-globaltool uses old System.Textd.Encodings.Web 5.0.20 and reports CVE-2021-26701
dotnet-reportgenerator-globaltool uses old System.Text.Encodings.Web 5.0.20 and reports CVE-2021-26701
Mar 21, 2022
@danielpalme is it perhaps possible to have the generator support opencover format xml files (which is generated by msbuild) and also generate the html when testing is complete automatically as well?
I basically want to be able to see the coverage in html where fully covered is green, uncovered is red, and half covered (branch) is yellow, but to have it generated by dotnet test and not be forced to invoke the tool itself.
Describe the bug
When installing the dotnet-reportgenrator-globaltool it uses System.Text.encodings.Web.dll for the .net core 3.1
However the version supplied is 5.0.20.51904 (nuget package version 5.0.0)
This results in vulnerability scanners like Nexus to report a CVE CVE-2021-26701 vulnerability found.
If possible the package version 5.0.1 should be used for .net core 3.1
(Old issue: #436 )
To Reproduce
** Why is this an issue: **
The policy in the company is that all used code and tools should be free of vulnerabilities or under proven good reasons excluded.
However if it can be resolved through own measures, or at the source, a request or action should be undertaken and should be reviewed every few weeks.
** Workaround **
We can temporarily exclude it in our list or override the library after installing, the latter requiring more rights.
The text was updated successfully, but these errors were encountered: