Vulnerable third-party libraries

[Zika development]

Hi everyone,
I searched through the group but didn't find any suitable conversation to post my question, so I'm opening this one. In my company, we are considering using NH, and we run the security analysis prior to integrating it.

The analysis also searched through the third-party libraries used by the  NH, including the SQLite.Interop.dll. We discovered that SQLite.Interop.dll is using an old version of SQLite (v 3.22.0), which has multiple vulnerabilities reported (CVEs at the end of the message).

Can you please tell me if you are aware of these vulnerabilities? Furthermore, did you run any analysis of their potential impact on the NH itself?
Thank you in advance!

CVE-2019-8457, CVE-2020-11656, CVE-2019-19646, CVE-2018-20506, CVE-2018-20346, CVE-2020-11655, CVE-2018-20505, CVE-2018-8740, CVE-2020-13630, CVE-2019-16168, CVE-2020-15358, CVE-2020-13632, CVE-2020-13631, CVE-2020-13435, CVE-2020-13434, CVE-2019-19645

[Frédéric Delaporte]

The main, redistributable library NHibernate.dll, has no dependencies on SQLite. It is up to anyone targeting this database to include whatever dependencies they require, and to ensure they have up-to-date ones.

The NHibernate test project does depend on SQLite. But it is not meant to be distributed and used by other software. It is only the test project for running the NHibernate tests suite. It tends to target rather old database providers. I do not think having our test project depending on vulnerable database providers is an issue, as it does run on clean VM instantiated for the sole purpose of running the tests.

[Zika development]

Thank you Frédéric, this clearly explained the situation.