search

Azure / azure-functions-dotnet-worker

Azure Functions out-of-process .NET language worker
MIT License
428 stars 182 forks source link

Azure function with ServiceBusTrigger fails to pass whitesource scan (Azure Identity Library for .NET Information Disclosure Vulnerability) #2430

Closed alex-quest closed 6 months ago

alex-quest commented 6 months ago

Description

Similar to the issue: Azure function with QueueTrigger fails to pass whitesource scan (Azure Identity Library for .NET Information Disclosure Vulnerability)

I created an empty Azure Function with ServiceBusTrigger. It fails to pass whitesource scan. The reason reported be WS:

CVE-2024-29992 Medium 09-04-2024 10-04-2024 Azure Identity Library for .NET Information Disclosure Vulnerability

Given library seems a dependency of Microsoft.Azure.Functions.Worker.Extension which in turn a dependency of .NETCoreApp (v6.0)

The vulnerable dll is in the output .azurefunctions folder: image

And can't be overwritten there even if you enforce to install Azure.Identity 1.11 to the project direct dependency.

The full line of dependencies from .azurefunctions\function.deps.json file:

{
  "runtimeTarget": {
    "name": ".NETCoreApp,Version=v6.0",
    "signature": ""
  },
  "compilationOptions": {},
  "targets": {
    ".NETCoreApp,Version=v6.0": {
      "Microsoft.Azure.Functions.Worker.Extensions/1.0.0": {
        "dependencies": {
          "Microsoft.Azure.WebJobs.Extensions.ServiceBus": "5.13.5",
          "Microsoft.NET.Sdk.Functions": "4.2.0",
          "Microsoft.NETCore.Targets": "3.0.0"
        },
        "runtime": {
          "Microsoft.Azure.Functions.Worker.Extensions.dll": {}
        }
      }

----------------------------------------------------------------------

     "Microsoft.Azure.WebJobs.Extensions.ServiceBus/5.13.5": {
        "dependencies": {
          "Azure.Messaging.ServiceBus": "7.17.1",
          "Google.Protobuf": "3.24.3",
          "Microsoft.Azure.WebJobs": "3.0.37",
          "Microsoft.Azure.WebJobs.Extensions.Rpc": "3.0.37",
          "Microsoft.Extensions.Azure": "1.7.1"
        },
        "runtime": {
          "lib/net6.0/Microsoft.Azure.WebJobs.Extensions.ServiceBus.dll": {
            "assemblyVersion": "5.13.5.0",
            "fileVersion": "5.1300.523.60405"
          }
        }
      }

---------------------------------------------------------

      "Microsoft.Extensions.Azure/1.7.1": {
        "dependencies": {
          "Azure.Core": "1.36.0",
          "Azure.Identity": "1.10.3",
          "Microsoft.Extensions.Configuration.Abstractions": "3.0.3",
          "Microsoft.Extensions.Configuration.Binder": "3.0.3",
          "Microsoft.Extensions.DependencyInjection.Abstractions": "3.0.3",
          "Microsoft.Extensions.Logging.Abstractions": "3.0.3",
          "Microsoft.Extensions.Options": "3.0.3"
        },
        "runtime": {
          "lib/netstandard2.0/Microsoft.Extensions.Azure.dll": {
            "assemblyVersion": "1.7.1.0",
            "fileVersion": "1.700.123.52701"
          }
        }
      }

Steps to reproduce

Open zipped demo project in VS. Build it. Find the Azure.Identity.dll v 1.10.3 inside of the bin\Debug\net8.0.azurefunctions folder. FunctionAppTest.zip

liliankasem commented 6 months ago

All extensions using "Microsoft.Extensions.Azure": "1.7.1" need to be updated to 1.7.3

alex-quest commented 6 months ago

Hi @liliankasem. When is this supposed to be available? I still don't see Microsoft.Azure.Functions.Worker.Extensions.ServiceBus 5.18.0 available for download/update