Skip to content

Fix security vulnerabilities #336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Fix security vulnerabilities #336

wants to merge 5 commits into from

Conversation

@Shane32
Copy link

@Shane32 Shane32 commented Nov 13, 2024
edited
Loading

Summary:

This pull request addresses package support and security vulnerabilities by updating dependencies to supported versions, adding direct references to eliminate flagged issues, and enforcing stricter build warnings related to security.

Details:

  • Update to Supported .NET Core 2.1 Packages:

    • Microsoft no longer supports .NET Core 2.2 packages; they are marked as deprecated or vulnerable.
    • Certain .NET Core 2.1 packages remain supported by Microsoft, as detailed in their official support policy for ASP.NET Core 2.1 on .NET Framework. This includes packages like Microsoft.AspNetCore and Microsoft.Extensions.Configuration.
    • This PR downgrades the Microsoft.Extensions.Configuration package from version 2.2 to 2.1 to align with Microsoft's supported packages.

  • Mitigate Security Vulnerability in System.Security.Cryptography.Xml:

    • The .NET 9 SDK scans both direct and indirect dependencies, which can surface issues in indirectly referenced packages.
    • An indirect reference to System.Security.Cryptography.Xml version 4.5.0 contains a moderate security vulnerability.
    • This PR adds a direct dependency on System.Security.Cryptography.Xml version 4.7.1 to resolve this vulnerability.

  • Enforce Build Warnings for Security Vulnerabilities:

    • Added settings to the project's .csproj file to prevent building when dependencies contain security vulnerabilities.
    • Specifically, the following lines were added: 
      <!-- .NET 9 SDK default: prevent building when indirect dependencies contain security vulnerabilities -->
<NuGetAuditMode>all</NuGetAuditMode>
<WarningsAsErrors>$(WarningsAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsAsErrors>
    • Setting <NuGetAuditMode>all</NuGetAuditMode> enables auditing of all dependencies for vulnerabilities.
    • Adding NU1901, NU1902, NU1903, NU1904 to <WarningsAsErrors> treats these specific NuGet warnings as errors, causing the build to fail if vulnerabilities are detected.
    • These settings align with the default behavior in .NET 9, enhancing security by enforcing stricter checks during the build process.

Impact:

  • Aligns the project with Microsoft's supported package versions.
  • Eliminates security vulnerabilities detected in indirect dependencies.
  • Enhances compatibility with the .NET 9 SDK's dependency scanning.
  • Enforces stricter build-time security checks to prevent future vulnerabilities from being introduced.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Shane32