BlackDuck scan reports vulnerabilities in PCRE2 which is referenced by Microsoft.Azure.Cosmos.ServiceInterop #4685
Assignees
Labels
Comments
microsoft-github-policy-service
bot
added
the
customer-reported
|
@adityasa can you please take alook? |
|
Hey @neildsh, can you help look into this issue? |
|
Hello. Is there any update on this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
BlackDuck scan reports vulnerabilities in the PCRE2 component. This component is reference by Microsoft.Azure.Cosmos.ServiceInterop.dll
The version of Microsoft.Azure.Cosmos.ServiceInterop.dll is 2.14
We are using Microsoft.Azure.Cosmos v3.43.0 NuGet Package.
Below are the Black Duck issues reported:
According to discussion in this issue, the first two vulnerabilities don't apply as PCRE is not used with JIT enabled.
The version of PCRE2 being used is still 10.34. I have gotten this information from ThirdPartyNotice.txt on the Microsoft.Azure.Cosmos.Direct package as mentioned in above issue. Black Duck suggests that 10.44 doesn't have any vulnerabilities.
Can we get an update on the 3rd issue if the version of PCRE2 can't be upgraded?
The text was updated successfully, but these errors were encountered: