Skip to content

Dependencies are reported to contain high vulnerabilities #3672

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
WenningQiu opened this issue May 15, 2025 · 6 comments
Open

Dependencies are reported to contain high vulnerabilities #3672

WenningQiu opened this issue May 15, 2025 · 6 comments

Comments

@WenningQiu
Copy link

NHibernate (5.5.2) brings on dependencies that are reported to contain high vulnerabilities:

Image

Image

Can we have a new release that moves away from those vulnerable dependencies? According to this Microsoft blog (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/), all that is needed is to release a new version that targets netstandard2.0.

Thanks.
@fredericDelaporte
Copy link
Member

What do you mean? NHibernate already targets netstandard2.0, and not any lower version.

@WenningQiu
Copy link
Author

@fredericDelaporte Sorry, my request should be sent to Antlr3.Runtime and Iesi.Collections which are used by NHibernate.

@WenningQiu
Copy link
Author

WenningQiu commented May 19, 2025
edited
Loading

It appears that Antlr3 had been replaced by Antlr4 long time ago, and even Antlr4 does not appear to be actively maintained - no one responds to a similar request (tunnelvisionlabs/antlr4cs#382) there. In fact, tunnelvisionlabs/antlr4cs#381 recommended end users to be migrated to Antlr4.Runtime.Standard.

Will NHibernate review those dead dependencies?

@fredericDelaporte
Copy link
Member

fredericDelaporte commented May 19, 2025
edited
Loading

Migrating from v3 to v4 seems to be no trivial task, and that would be a prerequisite for migrating to maintained Antlr versions. It would need a contributor available to do this and sufficiently knowledgeable about Antlr. I do not think we currently have one.

Anyway, does really theses vulnerable dependencies ends-up in an actual NHibernate deployment? If yes, we may add a forced dependency on patched versions of the vulnerable dependencies. But affected applications could do so themselves.

@WenningQiu
Copy link
Author

I believe the vulnerable dependencies are included in application deployment, but not sure if they actually get used at runtime; however, they show up on security scanning reports and pressures are put on our dev teams.

Forced dependency is one of the solutions mentioned in the MS blog I sent, although not an ideal one. But if we go with forced dependency as a temporary mitigation, it might be better off be done close to the source of vulnerabilities than in applications.

@cremor
Copy link
Contributor

cremor commented May 26, 2025

The latest version of Iesi.Collections already defines target frameworks which fix the dependency issue. NHibernate should update its dependency to Iesi.Collections, but until then you can reference the latest version of Iesi.Collections directly.

For Antlr3.Runtime you can reference the latest version of NETStandard.Library to remove the unneeded dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cremor @WenningQiu @fredericDelaporte