Compromised 3rd party libraries


Our security auditing has shown your recent .NET SDK (v3.2.4) and DependencyInjection v3.2.0 are using 2 libraries that have security alerts on them ranked as “High”.
Can you please upgrade them in your next build?

System.Net.Http 4.3.0 => 4.3.4
System.Text.RegularExpressions 4.3.0 => 4.3.1


These are not direct dependencies of CouchbaseNetClient, but are transitive dependencies from NetStandard.Library. They are a result of targeting .NET Standard 2.0. Unfortunately, NETStandard.Library is published by Microsoft and not something we can change.

That said, those dependencies aren’t actually referenced, that I can see, except when targeting versions of .NET that we don’t support (.NET < 4.6.1 or .NET Core 1.x). Can you provide further details about how/where you’re seeing these dependencies? I can’t find them anywhere else in the dependency graph.

Hi @btburnett3

I see that App.Metrics is a 3rd party you guys are using and 4.2.0 seems to be the latest version…
And it doesn’t look like it’s being maintained anymore.

Basically since I work in a very large cyber security company, they don’t let us release our products if they have 3rd parties that have some vulnerabilities.


I think the security scanning tool you’re using to find that dependency may either be flawed or misconfigured. There is actually no combination of target frameworks for the Couchbase SDK that would ever bring in that dependency. The NETStandard.Library 1.6.1 dependency is overridden by NETStandard.Library 2.0.3 dependencies closer to the bottom of the dependency tree.

That said, this may be mitigated by an upgrade to App.Metrics 4.3.0, which offers a specific netstandard2.0 dependency list. Depends, again, on how your security scanning tool is looking at it. I’ve filed this issue to track:

4.3.0 was released 4 days ago (11/26/2021), it takes some time before we upgrade a dependency as they change all the time and we generally do so on minor builds, not patch builds. App.Metrics is most definitely being maintained as they just released and have recent merges into their repo.

Can you provide some documentation regarding the security vulnerabilities found in 4.2.0?

Sure @jmorris

Personally, I’d really like to remove this dependency on App.Metrics altogether. But my approach for doing so is currently dependent on dropping the netcoreapp2.1 target, which I’m not sure we can do.