-1

We are using two libraries WireMock.Net & WireMock.Net.RestClient which are reporting vulnerabilities in our dependency checker (NVD). Both of those libs are version 1.5.9.

Summary

The following are listed as published vulnerabilities with most set at Medium some two or three are rated high & at least one is rated critical.

I have already upgraded from an earlier version which only had one vulnerability (relating to wire IOS). Upgrading has pulled in the RestClient &, apparently, a new bunch of vulnerabilities. There is no further option to upgrade as WireMock.net 1.5.9 is the latest stable even though some of the vulnerabilities list versions before 2.16 as the problem. I suspect that is mixed up with Java or other versions of WireMock.

So,

  1. Do I need to move away from from this library or are these vulnerabilities false positive?

  2. how do I move away from this library?

  3. Which library would be best to replace this one?

RestClient wiremock.net

Thanks for any help in advance.

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
onesixtyfourth
  • 744
  • 9
  • 30
  • Only CVE-2018-9116/9117 relate to WireMock but are for the Java version (though it's unclear whether the same vulnerabilities could affect the WireMock.Net). The rest look to be vulnerabilities related to the (apparently unrelated) "[Wire App](https://github.com/wireapp)". Seems more like an issue with the scanning tool than anything else. – Iridium Nov 03 '22 at 10:09

2 Answers2

0

I cannot use dependency checker (NVD), but when checking your links related to ossindex.sonatype.org : https://ossindex.sonatype.org/component/pkg:nuget/WireMock.Net I don't see any issues:

enter image description here

Also running

 dotnet list package --vulnerable

Shows no issues:

PS C:\Dev\GitHub\WireMock.Net>  dotnet list package --vulnerable

The following sources were used:
   https://api.nuget.org/v3/index.json
   C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

The given project `WireMock.Net` has no vulnerable packages given the current sources.
The given project `WireMock.Net.Abstractions` has no vulnerable packages given the current sources.
The given project `WireMock.Net.RestClient` has no vulnerable packages given the current sources.
The given project `WireMock.Net.StandAlone` has no vulnerable packages given the current sources.
Stef Heyenrath
  • 9,335
  • 12
  • 66
  • 121
-3

These CVEs seem pretty serious, i would switch libraries.

Some alternatives include Moq and Xunit.

Simon B
  • 92
  • 1
  • 6
  • Your suggested libraries are not alternatives to WireMock.Net. – Peter Csala Nov 03 '22 at 10:29
  • This may not be related to the question, but can you elaborate why that is? Moq does have Http-Mocking capabilities, and REST-Apis are just built on that. of course the functionality is not exactly tailored for REST-Apis but it is possible to use Moq for Rest-Client-Mocking. – Simon B Nov 03 '22 at 12:26
  • 1
    Wiremock.Net is usually used in integration tests where you are mocking not the object dependencies rather than API endpoints. Neither Moq nor xunit can't be used to setup a local http server with mocked responses. – Peter Csala Nov 03 '22 at 12:49