Dependency Vulnerability on System.Text.RegularExpressions

[ronnymgm]

Hi,
Our DevOps Pipeline Microsoft Security Analyzers are reporting the following error:

##[error]56. Trivy Error CVE-2019-0820 - File: Applications/PayCloud/packages/HtmlAgilityPack.1.11.30/lib/netstandard1.6/HtmlAgilityPack.deps.json. Line: 1351. Column 1.
Signature: f7a747416c1a437643202596599ee4e3d5817372412520e512a6675d2038c42a
Tool: Trivy: Rule: CVE-2019-0820 (LanguageSpecificPackageVulnerability). https://avd.aquasec.com/nvd/cve-2019-0820
Package: System.Text.RegularExpressions
Installed Version: 4.3.0
Vulnerability CVE-2019-0820
Severity: HIGH
Fixed Version: 4.3.1
Link: [CVE-2019-0820](https://avd.aquasec.com/nvd/cve-2019-0820)

Per our understanding, the error refers to HtmlAgilityPack internally dependent on a vulnerable System.Text.RegularExpressions version.
And it needs to be upgraded to the latest version 4.3.1 where the vulnerability is fixed.

[JonathanMagnan]

Hello @ronnymgm ,

Thank you for reporting, we will look at it soon.

Best Regards,

Jon

[JonathanMagnan]

Hello @ronnymgm ,

We are currently looking at this issue.

Are you still using .NET Standard 1.6 (or a .NET Core that use it)? We do not have a direct dependency to System.Text.RegularExpressions but the NETStandard.Library (V1.6.1) has one.

Is your Microsoft Security Analyzers looking for all versions of HAP, even those that you currently don't have a dependency as you might use the .NET Standard 2.0 and not .NET Standard 1.6?

Let me know more about it.

Best Regards,

Jon

[SimonCropp]

u have a transitive ref on System.Text.RegularExpressions 4.3.0 via your ref to NETStandard.Library https://www.nuget.org/packages/NETStandard.Library/#dependencies-body-tab

and we are getting the same error when we target net9

[JonathanMagnan]

Hello @SimonCropp ,

Thank you for the additional information.

The question is more if you use .NET Standard 1.6 or not?

The solution we currently think to do is releasing a new version of HAP 2.0.0, which only contains support for .NET5+

We will still do once a year or when asked to release all previous versions under the v1.x.y, so people will be able to support their legacy framework as well.

Let me know what you think of this solution

Best Regards,

Jon

[SimonCropp]

The question is more if you use .NET Standard 1.6 or not?

we target net9. so we do not use .NET Standard 1.6

The solution we currently think to do is releasing a new version of HAP 2.0.0, which only contains support for .NET5+

that wont fix the CVE error. you need to either explicit target the newer System.Text.RegularExpressions, or remove the .NET Standard 1.6 TFM from the nuget

[JonathanMagnan]

Hello @SimonCropp ,

The v1.12.0 has been released today

In this version, we removed the support to .NET Standard 1.3 and .NET Standard 1.6 to fix this issue.

Those version are pretty much legacy so we will evaluate if people are requesting them back

Best Regards,

Jon

[SimonCropp]

thanks Jon