Vulnerability found in SonarAnalyzer.CSharp

The SonarAnalyzer.CSharp NuGet package is shipped with Google.Protobuf.dll
The version (3.6) of this Google.Protobug library was marked as vulnerable due to CVE-2021-22570.

Please provide an new package with a updated Google.Protobug library (3.15+)

Hey there.

This vulnerability has been raised by our own internal source composition analysis and vulnerability scanners. After risk assessment of exploitability, we have made the decision to not fix the finding immediately for the following reasons:

  1. a limitation in the .NET compiler means that it cannot be upgraded without an unacceptable performance impact. We have reported the issue.
  2. the protobuf file is both generated and consumed by our software.
  3. the impact of failure in our use-case is low risk

That said, we are investigating various work-arounds for the problem or replacements for Google.Protobuf but we have no ETA at this time.

In the future, please check out this guide on Responsible Vulnerability Disclsoure: