Purecloud Support Team,
Recently we performed a Software Composition Analysis (SCA) scan on our codebase. The scan identified two security vulnerabilities related to few dependencies bundled with the SDK:
- System.Text.Json - Flagged for a known vulnerability affecting versions prior to 8.0.4 (a denial -of-service issue caused by improperly handled deep object nesting).
- Restsharp - Flagged for a known vulnerability (HTTP header injection) affecting versions prior to 112.0.0, which was addressed by the library maintainers in Restsharp v112.0.0.
- Newtonsoft.Json- Flagged for a known vulnerability affecting versions prior to 13.0.1.
So we upgraded our application to use the Genesys Purecloud.NET SDK version 237.0.0. After this upgrade, we performed a Software Composition Analysis (SCA) scan on our codebase. The scan identified no security vulnerabilities.
Whereas when we test our application we are facing an error related to System.Runtime.CompilerServices.Unsafe Version 4.0.4.1. But with Purecloud SDK version 237.0.0 it supports System.Runtime.CompilerServices.Unsafe Version 6.0.0 and our application has V6.0.0. Due to hard dependency on V4.0.4.1 we are facing issues.
We take security compliance seriously, so we need to ensure that all reported vulnerabilities are addressed or acknowledged.
Given this solution, we respectfully request your guidance on the following points:
- Production-Ready SDK version: Is there a production -ready version of Purecloud SDK (either current or upcoming) that fully mitigates these vulnerabilities? If such version is available (or planned), we would like to upgrade to it. Otherwise, please confirm whether it is safe to continue using v237.0.0 in production, and if there are any recommended workarounds to supress or eliminate the false-positive findings.
- Future Dependency Updates : What is the recommended process for handling security updates in third-party libraries used by Purecloud SDK going forward (e.g. Restsharp, Newtonsoft.Json, etc) ? Should we expect Genesys to release updated SDK versions promptly when vulmerabilities in dependencies are discivered (as appears to have been done with Restsharp v112 and Newtonsoft.Json 13.x in this release), abd then plan to upgrade our SDK package accordindly? We want to ensure we adhere to best practicies and keep our application secure, so any guidance on how to stay up-to-date with critical dependency patches in the SDK would be greatly appreciated.
We value the Purecloud SDK as part of our solution and want to ensure we're using it in the most secure way possible. Your confirmation and advice will help us move forward confidently with our production deployment. We hoping to have a new version by Sepembers so we can meet our audit requriements by October 1st. If you need any additional information about our environment or the scan results, please let me know and I will gladly provide it. Thank you.
#PlatformSDK
------------------------------
Jahnavi Rajashakaruni
------------------------------