Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Fix security vulnerabilities #336

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Fix security vulnerabilities #336

wants to merge 5 commits into from

Conversation

Shane32
Copy link

@Shane32 Shane32 commented Nov 13, 2024
edited
Loading

Summary:

This pull request addresses package support and security vulnerabilities by updating dependencies to supported versions, adding direct references to eliminate flagged issues, and enforcing stricter build warnings related to security.

Details:

  • Update to Supported .NET Core 2.1 Packages:

    • Microsoft no longer supports .NET Core 2.2 packages; they are marked as deprecated or vulnerable.
    • Certain .NET Core 2.1 packages remain supported by Microsoft, as detailed in their official support policy for ASP.NET Core 2.1 on .NET Framework. This includes packages like Microsoft.AspNetCore and Microsoft.Extensions.Configuration.
    • This PR downgrades the Microsoft.Extensions.Configuration package from version 2.2 to 2.1 to align with Microsoft's supported packages.

  • Mitigate Security Vulnerability in System.Security.Cryptography.Xml:

    • The .NET 9 SDK scans both direct and indirect dependencies, which can surface issues in indirectly referenced packages.
    • An indirect reference to System.Security.Cryptography.Xml version 4.5.0 contains a moderate security vulnerability.
    • This PR adds a direct dependency on System.Security.Cryptography.Xml version 4.7.1 to resolve this vulnerability.

  • Enforce Build Warnings for Security Vulnerabilities:

    • Added settings to the project's .csproj file to prevent building when dependencies contain security vulnerabilities.
    • Specifically, the following lines were added: 
      <!-- .NET 9 SDK default: prevent building when indirect dependencies contain security vulnerabilities -->
<NuGetAuditMode>all</NuGetAuditMode>
<WarningsAsErrors>$(WarningsAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsAsErrors>
    • Setting <NuGetAuditMode>all</NuGetAuditMode> enables auditing of all dependencies for vulnerabilities.
    • Adding NU1901, NU1902, NU1903, NU1904 to <WarningsAsErrors> treats these specific NuGet warnings as errors, causing the build to fail if vulnerabilities are detected.
    • These settings align with the default behavior in .NET 9, enhancing security by enforcing stricter checks during the build process.

Impact:

  • Aligns the project with Microsoft's supported package versions.
  • Eliminates security vulnerabilities detected in indirect dependencies.
  • Enhances compatibility with the .NET 9 SDK's dependency scanning.
  • Enforces stricter build-time security checks to prevent future vulnerabilities from being introduced.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Shane32