Azure function with QueueTrigger fails to pass whitesource scan (Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability))

Azure / azure-functions-dotnet-worker

Azure Functions out-of-process .NET language worker

MIT License

419 stars 182 forks source link

Azure function with QueueTrigger fails to pass whitesource scan (Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability)) #2544

Closed LenaVinogradov closed 2 months ago

LenaVinogradov commented 3 months ago

Similar to the https://github.com/Azure/azure-functions-dotnet-worker/issues/2421, please update Worker Storage extension dependencies as currently references Azure.Identity package has known vulnerability: CVE-2024-35255 https://github.com/advisories/GHSA-m5vv-6r4h-3vj9

WyrmUK commented 3 months ago

Specifically, Microsoft.Azure.WebJobs.Extensions.Storage.Queues 5.3.0 includes Microsoft.Extensions.Azure 1.7.3 and that includes the now vulnerable version of Azure.Identity. Microsoft.Extensions.Azure has already had a release (1.7.4) with a non-vulnerable Azure.Identity so we are waiting for a new version of Microsoft.Azure.WebJobs.Extensions.Storage.Queues and for that to be deployed to the .azurefunctions folder when building.

LenaVinogradov commented 3 months ago

@liliankasem could you please assist in creating a new package? thank you!

ArturAdam commented 2 months ago

Any updates on this? I am directly referencing the Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues package in my projects. The functions.deps.json file in .azurefunctions folders includes Microsoft.Azure.WebJobs.Extensions.Storage.Queues version 5.3.0, which in turn references azure.identity, causing the security scans to fail.

surgupta-msft commented 2 months ago

The latest version 5.3.1 resolves the issue - https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage.Queues/5.3.1#versions-body-tab