You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Microsoft Security Advisory CVE 2022-30184 involves a vulnerability related to NuGet functionality, including the NuGet.CommandLine NuGet package. The vulnerability relates to credentials being leaked when publishing NuGet packages i.e. it's logically related to nuget push. See this issue for more information.
The SonarQube.Roslyn.SDK is not directly affected by the vulnerability since it only pulls packages. It never pushes.
However, third-party tooling may still flag this as a vulnerability, which generates unnecessary noise and support effort.
Upgrading the package to a patched version should be straightforward i.e. no anticipated breaking changes or changes of functionality.
The text was updated successfully, but these errors were encountered:
duncanp-sonar
changed the title
Stop using vulnerable NuGet.CommandLine packge
Stop using vulnerable NuGet.CommandLine package (CVE 2022-30184)
Oct 17, 2022
Description
Microsoft Security Advisory CVE 2022-30184 involves a vulnerability related to NuGet functionality, including the
NuGet.CommandLine
NuGet package. The vulnerability relates to credentials being leaked when publishing NuGet packages i.e. it's logically related tonuget push
. See this issue for more information.The SonarQube.Roslyn.SDK is not directly affected by the vulnerability since it only pulls packages. It never pushes.
However, third-party tooling may still flag this as a vulnerability, which generates unnecessary noise and support effort.
Upgrading the package to a patched version should be straightforward i.e. no anticipated breaking changes or changes of functionality.
The text was updated successfully, but these errors were encountered: