Transient Dependency on System.Drawing.Common v5.0.0 with Critical Vulnerability in nHapi 3.2.2

[aarondglover]

Description

We are using nHapi version 3.2.2 in a .NET application and have identified that it has a transitive dependency on System.Drawing.Common version 5.0.0, which currently has a critical security vulnerability marked against it (as reported by various security scanning tools such as GitHub Dependabot and others).

Issue

• System.Drawing.Common v5.0.0 is not compatible with non-Windows platforms unless proper native dependencies are installed.
• It also has a critical security vulnerability.
• nHapi indirectly depends on this package — we’re not sure if it’s essential to the core functionality of the library.

Questions

1. Is this dependency on System.Drawing.Common actually required by nHapi?
2. If so, can it be updated to a more recent and secure version (e.g., 7.x or removed altogether if not used)?
3. If it is used for legacy functionality (e.g., barcode/image rendering), can it be moved to an optional package or excluded from the core library?

We’d appreciate your advice or any planned mitigation steps.
Thanks for maintaining nHapi!

Environment

• nHapi version: 3.2.2
• Target framework: .NET 8 (cross-platform)
• OS: Windows / Linux

[milkshakeuk]

Hi @aarondglover thanks for raising this, I wonder why dependabot or CodeQL hasn't flagged it... Or maybe it would have if the package which has this transitive dependency hadn't already been updated, I suspect the fix is to just do a fresh build/release with all the latest package updates from dependabot since the last release.

Will have to have a little look into it first in case that causes any breaking changes in regards to versions of dotnet supported etc.

Anyway thanks for raising this issue.

[milkshakeuk]

@aarondglover it looks like System.Drawing.Common is being pulled in from System.Configuration.ConfigurationManager:

dotnet list package --include-transitive --vulnerable

The following sources were used:
   https://api.nuget.org/v3/index.json

Project `testVuln` has the following vulnerable packages
   [net9.0]: 
   Transitive Package           Resolved   Severity   Advisory URL                                     
   > System.Drawing.Common      5.0.0      Critical   https://github.com/advisories/GHSA-rxg9-xrhp-64gj

dotnet nuget why testVuln.csproj System.Drawing.Common

Project 'testVuln' has the following dependency graph(s) for 'System.Drawing.Common':

  [net9.0]
   │  
   └─ nhapi.base (v3.2.0)
      └─ System.Configuration.ConfigurationManager (v5.0.0)
         └─ System.Security.Permissions (v5.0.0)
            └─ System.Windows.Extensions (v5.0.0)
               └─ System.Drawing.Common (v5.0.0)

[milkshakeuk]

@aarondglover the fix has been merged, in preparation for a release which I shall try and do tomorrow.

[milkshakeuk]

@aarondglover a new release has been published.