Hello,
My organizations vulnerability scanning tool is flagging the version of BouncyCastle used in this component (1.8.5) as having vulnerabilities. Can this be updated to include the latest version of BouncyCastle.Cryptography (2.4.0)
Vulnerability: NVD - CVE-2020-15522 (nist.gov)
Thank You
Hi @Paul Giammarco,Thank you for reporting this. You can find that release 1.1.4 of the component solves this issue.
Regards,
Thank you João for the quick turnaround!
While waiting for assistance, you can fix the issue yourself by following these steps:
1. Open the `OpenPGP.xif` from your environment in Integration Studio.
2. Open the code in Visual Studio.
3. Remove the reference to the BouncyCastle library.
4. Manage NuGet Package:
- Go to `Browse`.
- Search for `BouncyCastle.Cryptography`.
- Install the package.
5. Build the solutions.
6. Run the unit tests:
- Go to `UnitTests`.
- Select `Run Tests`.
7. Finally, upload the updated code from Integration Studio.
A screen recording of this process is attached here for your reference.
Thanks @Siya - yes we have already done the update locally in our environment prior to this request. This request is just so we don't stay out of sync with the forge version for too long.
Thank You!
-Paul