Stop using vulnerable NuGet.CommandLine package (CVE 2022-30184) #178
Labels
Milestone
Comments
duncanp-sonar
added a commit
that referenced
this issue
Jun 16, 2022
duncanp-sonar
added a commit
that referenced
this issue
Jun 16, 2022
duncanp-sonar
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Microsoft Security Advisory CVE 2022-30184 involves a vulnerability related to NuGet functionality, including the
NuGet.CommandLineNuGet package. The vulnerability relates to credentials being leaked when publishing NuGet packages i.e. it's logically related tonuget push. See this issue for more information.The SonarQube.Roslyn.SDK is not directly affected by the vulnerability since it only pulls packages. It never pushes.
However, third-party tooling may still flag this as a vulnerability, which generates unnecessary noise and support effort.
Upgrading the package to a patched version should be straightforward i.e. no anticipated breaking changes or changes of functionality.
The text was updated successfully, but these errors were encountered: