Skip to content

Adds: A vulnerable dependency #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Adds: A vulnerable dependency #15

wants to merge 2 commits into from

Conversation

@felickz
Copy link
Contributor

@felickz felickz commented Nov 11, 2025
edited
Loading

This pull request updates the dependency management for the project, primarily by refining the central package versions and adding missing direct dependencies to the VulnerableLibrary project. These changes help ensure that all required packages are explicitly referenced and versioned, improving maintainability and clarity.

@felickz
Add Newtonsoft.Json and RestSharp dependencies
61dab76 
Added Newtonsoft.Json and RestSharp package references.
@felickz
Update package versions and add new dependencies
a832003 
(introduces a dependency on a vulnerable version of RestSharp)
@github-actions
Copy link

github-actions bot commented Nov 11, 2025

Dependency Review

The following issues were found:
  • ❌ 1 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ✅ 0 package(s) with unknown licenses.
See the Details below.

Vulnerabilities

VulnerableLibrary/VulnerableLibrary.csproj

NameVersionVulnerabilitySeverity
RestSharp111.4.1CRLF Injection in RestSharp's `RestRequest.AddHeader` methodmoderate

OpenSSF Scorecard

Scorecard details
PackageVersionScoreDetails
nuget/System.Net.Http 4.3.3 🟢 3.8
Details
CheckScoreReason
Pinned-Dependencies⚠️ -1no dependencies found
Dangerous-Workflow⚠️ -1no workflows found
Code-Review🟢 5Found 2/4 approved changesets -- score normalized to 5
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ -1No tokens found
Maintained⚠️ 0project is archived
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Fuzzing⚠️ 0project is not fuzzed
License⚠️ 0license file not detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy⚠️ 0security policy file not detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
nuget/System.Text.Json 8.0.0 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 30 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Signed-Releases⚠️ -1no releases found
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts⚠️ 0binaries present in source code
Pinned-Dependencies⚠️ 2dependency not pinned by hash detected -- score normalized to 2
Vulnerabilities🟢 100 existing vulnerabilities detected
nuget/RestSharp 111.4.1 🟢 4.5
Details
CheckScoreReason
Code-Review🟢 3Found 9/25 approved changesets -- score normalized to 3
Maintained🟢 94 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 9
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Binary-Artifacts🟢 10no binaries found in the repo
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Pinned-Dependencies⚠️ 1dependency not pinned by hash detected -- score normalized to 1
Signed-Releases⚠️ -1no releases found
Packaging🟢 10packaging workflow detected
Security-Policy⚠️ 0security policy file not detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Vulnerabilities⚠️ 022 existing vulnerabilities detected
nuget/System.Text.Encodings.Web 8.0.0 🟢 5.6
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Packaging⚠️ -1packaging workflow not detected
Maintained🟢 1030 commit(s) and 30 issue activity found in the last 90 days -- score normalized to 10
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Branch-Protection🟢 5branch protection is not maximal on development and all release branches
Signed-Releases⚠️ -1no releases found
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
Binary-Artifacts⚠️ 0binaries present in source code
Pinned-Dependencies⚠️ 2dependency not pinned by hash detected -- score normalized to 2
Vulnerabilities🟢 100 existing vulnerabilities detected
nuget/runtime.debian.8-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.fedora.23-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.fedora.24-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.opensuse.13.2-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.opensuse.42.1-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.rhel.7-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.ubuntu.14.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.ubuntu.16.10-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/System.Net.Http 4.3.3 🟢 3.8
Details
CheckScoreReason
Pinned-Dependencies⚠️ -1no dependencies found
Dangerous-Workflow⚠️ -1no workflows found
Code-Review🟢 5Found 2/4 approved changesets -- score normalized to 5
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ -1No tokens found
Maintained⚠️ 0project is archived
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Fuzzing⚠️ 0project is not fuzzed
License⚠️ 0license file not detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Security-Policy⚠️ 0security policy file not detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
nuget/runtime.debian.8-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.fedora.23-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.fedora.24-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.opensuse.13.2-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.opensuse.42.1-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.rhel.7-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.ubuntu.14.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown
nuget/runtime.ubuntu.16.10-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 UnknownUnknown

Scanned Files

  • VulnerableApi/VulnerableApi.csproj
  • VulnerableLibrary/VulnerableLibrary.csproj

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@felickz