In Visual Studio 2022, API project created using .NET Core 6.0.6 runtime, we are using Microsoft.EntityFrameworkCore.SqlServer 6.0.3 nuget package. But recently found that there is a security vulnerability in the System.Drawing.Common 4.7.0 package.

We use TFS CI Build Pipeline to build and release our software.

Please let us know how to overcome this security risk (we are using Blackduck compliance scan) and apply the patch/ changes to be made in TFS CI build pipeline script and deploy the software, but still use .NET Core 6.0.6 runtime, as we do not want to upgrade the .NET Core version to 7.0.

P.S: We are aware that the System.Drawing.Common vulnerability is cleared in version 4.7.2, 4.7.3 and also in >= 5.0.3 versions.

But still the security risk is reported by the Blackduck compliance scan.

What we have tried:

We have manually added the System.Drawing.Common package version 4.7.3 to the project and noticed that the package Microsoft.EntityFrameworkCore.SqlServer 6.0.3 is now internally referring to the System.Drawing.Common version 4.7.3.

But still the security risk is reported by the Blackduck compliance scan.

Referred links: https://www.nuget.org/packages/System.Drawing.Common/4.7.0#versions-body-tab https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24112

1

There are 1 answers

1
Çağdaş Can Birant On

I had the same issue. Just add the latest System.Drawing.Common package to your project which uses Microsoft.EntityFrameworkCore.SqlServer.