How can i upgrade System.Text.RegularExpressions version?

Question

i am running azure pipline with Mend Bolt task to detect old libraries, and i got:

Notice for System.Text.RegularExpressions the existing version is 4.3.1 and the suggested fix is ALSO 4.3.1 but it seems it is not taken in consideration.

PS: my csproj is here

Any help please ?

Thank you in adavance

Answer 1

Mend has a page about this CVE-2019-0820 issue, explaining when this notice might also be a false positive.

For your situation it is a false positive

• you are on .NET 6, which is higher than the mentioned vulnerable runtimes (see below) - your WebApp.proj has <TargetFramework>net6.0</TargetFramework>

• you reference System.Text.RegularExpressions version 4.3.1 or even higher.

---

From that page:

In case the project has the CVE-2019-0820 reported then if it is actually vulnerable or not depends on the used .NET Core Runtime version.

The vulnerable .NET Core Runtime versions for this CVE are:

• v1.0 branch: 1.0 - 1.0.16 (exclusive)
• v1.1 branch: 1.1 - 1.1.13 (exclusive)
• v2.1 branch: 2.1 - 2.1.11 (exclusive)
• v2.2 branch: 2.2 - 2.2.5 (exclusive)

If the user is running a higher .NET core version than listed above while using the package version 4.3.1 then they are secured from the vulnerability and they can safely ignore the alert.