Closed LenaVinogradov closed 2 months ago
Specifically, Microsoft.Azure.WebJobs.Extensions.Storage.Queues 5.3.0 includes Microsoft.Extensions.Azure 1.7.3 and that includes the now vulnerable version of Azure.Identity. Microsoft.Extensions.Azure has already had a release (1.7.4) with a non-vulnerable Azure.Identity so we are waiting for a new version of Microsoft.Azure.WebJobs.Extensions.Storage.Queues and for that to be deployed to the .azurefunctions folder when building.
@liliankasem could you please assist in creating a new package? thank you!
Any updates on this?
I am directly referencing the Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues
package in my projects. The functions.deps.json file in .azurefunctions folders includes Microsoft.Azure.WebJobs.Extensions.Storage.Queues
version 5.3.0, which in turn references azure.identity, causing the security scans to fail.
The latest version 5.3.1 resolves the issue - https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.Storage.Queues/5.3.1#versions-body-tab
Similar to the https://github.com/Azure/azure-functions-dotnet-worker/issues/2421, please update Worker Storage extension dependencies as currently references Azure.Identity package has known vulnerability: CVE-2024-35255 https://github.com/advisories/GHSA-m5vv-6r4h-3vj9