3.7.X-alpha builds flagged by Nexus IQ #1073
Description
Hello,
Just wanted to let you know that due to .NET 8.0 and Powershell 7.4 vulnerability CVE-2024-30105, Nerdbank.GitVersioning gets flagged by Nexus IQ.
Short explanation of the CVE:
The System.Text.Json package is vulnerable to Denial of Service (DoS) attacks. The ReadFromStreamAsync() method of the ReadBufferState class mishandles unsuccessful read operations when parsing certain tokens in slowly streamed data. In such cases, the method awaits the fulfillment of the stream's underlying buffer. A remote attacker can exploit this vulnerability with large JSON strings that, when consumed, may cause affected applications to consume all available resources.
Root cause reported by Nexus IQ:
Nerdbank.GitVersioning-3.7.62-alpha.nupkgbuild/MSBuildFull/System.Text.Json.dll[7.0.0-preview.6.22324.4, 8.0.4)
Understandably, this vulnerability might not be applicable for Nerdbank.GitVersioning, however due to it being flagged, it's causing some troubles.