We are currently using this component in its latest version. Could you please confirm whether it is still internally dependent on Mono.Security.dll?
As per our recent security scan, a risk has been raised related to Mono.Security.dll. Additionally, when inspecting the component in Integration Studio, it appears that Mono.Security.dll is referenced, as shown there. Kindly let us know if this dependency is still required.
Hi @Zinat Shahin Parveen Sarfaraz Aalam,
Yes, the CryptoAPI (O11) component still references Mono.Security.dll internally. This reference is not required for the active cryptographic functionality in current versions, but it remains as a legacy dependency in the extension package, which is why:
Historically:
Over time:
However:
For security scan report:
Document the finding typically is sufficient for risk acceptance. You can use the below text for rationale:
Mono.Security.dll is present as a legacy referenced assembly in the CryptoAPI extension. Current cryptographic operations use .NET native cryptography and BouncyCastle. Mono.Security.dll is not actively invoked at runtime.
If you need official confirmation or want the dependency removed:
Hope this helps,
Cheers,
Saugat
Hi Saugat,
Thank you for the detailed clarification it helps a lot. As confirmed, all current encryption and hashing logic relies on .NET native cryptography and BouncyCastle, and the reference persists only due to historical reasons.
We will proceed with documenting this finding for security scan risk acceptance using the provided rationale. If needed, we will raise a Forge support request separately to seek official confirmation or inquire about removing the legacy dependency in a future release. Appreciate your support and clear explanation.
Kind Regards,
Zinat
You are Welcome. Please ensure to mark the correct response as solution. This helps members get to resolution fast.
Hi,If you look at the release notes, the usage of Mono was removed on Version 2.2.2 of the component.In any case I suggest you update to the latest version of the component as additional updates to the underlying libraries were made.I'll double check as they might have been left there since they were still being used on a previous version of the component but they were not manually removed from the extension package.Regards,
Hi Joao,
Thanks for your update.
As confirmed, the Mono.Security.dll is not being used, and we would appreciate your help in getting it fully removed. While attempting to exclude the DLL from Integration Studio during compilation, it is automatically getting added back as a resource.
Could you please advise on the correct approach to ensure this DLL is completely excluded from the build and resources? Any guidance on configuration changes or cleanup steps required would be very helpful. Looking forward to your support.
Thanks & Regards,
It may help if you open the extension in Dev Studio, then open the source folder with explorer and delete the file, then delete it from the tree in integration studio before republishing.
In order to get it to compile I also had to add add the NuGet package for TestAdaptor, because for some reason it was missing, and the to get it to compile during the Publish, fix the HintPaths in the unitest project to:
..\NET\bin\Microsoft.VisualStudio.TestPlatform.TestFramework.dll
and
..\NET\bin\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dll
Doing this gave me a clean copy of CryptoAPI without mono, which is of course, too big to upload here with it's 4mb limit:
The Scrypt version in it is rather old as well.... 9 years. Don't know if this matters.
And the package itself is missing one of the files needed to build it?