Hello, with the latest release of .NET 9 SDK there was a change to how NuGet packages get searched for vulnerabilities:
- NuGetAudit should check transitive packages by default when the .NET 9 SDK is installed #13293
That means that at build time also the packages used by Gembox will be searched by vulnerabilities and we get the following error:
NU1902 : Package ‘BouncyCastle’ 1.8.9 has a known moderate severity vulnerability, Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation. · CVE-2024-29857 · GitHub Advisory Database · GitHub
as you can see bouncy castle is only used by gembox
Currently we are using this versions of gembox
PackageVersion Include=“GemBox.Spreadsheet” Version=“47.0.1398”
The problem is that BouncyCastle is no longer maintained and there is no fix for that vulnerability. So we cannot just reference a different version to override the implict version used by gembox.
The only fix they recommend is to switch to BouncyCastle.Cryptography.
The first version of Gembox.Spreadsheet that uses BouncyCastle.Cryptography for a .NET Framework 4.8 project is 49.0.1509.
Our license is bound to the version we have installed and we don’t need to upgrade now. So if you could provide a hot fix because we replaced all our transient vulnerabilities except this one.
Thanks!
