Issue with Microsoft.Data.SqlClient.dll looking for Azure.Identity.dll version 1.7.0 but project has a dependency on version 1.10.3

[kailashrdave]

There is a vulnerability report for Azure.Identity since October 2023
Azure.Identity project has fixed the vulnerability and provided an update with version 1.10.3.

https://nvd.nist.gov/vuln/detail/CVE-2023-36415

Our project uses Microsoft.Data.SqlClient package.
After upgrading to package 5.1.2, it still uses Azure.Identity 1.7.0 which appears in to OWASP vulnerability report.

Could you please look into it.

[ErikEJ]

@kailashrdave Just add an explicit reference and wait for 5.2 or 5.1.3

[kailashrdave]

@ErikEJ Thank you for your reply.

I tried to add Azure.Identity explicitly, but OWASP still complains about older version as it is mentioned in package-lock file.
the nuget restore command always download both packages (1.7.0 and 1.10.3)
Any suggestions?

[ErikEJ]

Fix your security scannner to only consider what is actually deployed.

[roji]

@David-Engel @ErikEJ given the number of issues reporting this, I'd advise having a single issue/announcement explaining the situation and linking to it.

[JRahnama]

Duplicate of #2195.

Closing as duplicate.