search

Azure / azure-functions-dotnet-worker

Azure Functions out-of-process .NET language worker
MIT License
432 stars 184 forks source link

Update Microsoft.Azure.Functions.Worker.Sdk to latest version of Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues to address CVE-2024-35255 #2645

Closed alisonlomaka closed 3 months ago

alisonlomaka commented 3 months ago

Description

Internal Microsoft Component Governance scanning is identifying a vulnerability in Azure.Identity and Microsoft.Identity.Client, due to a dependency on Microsoft.Azure.WebJobs.Extensions.Storage.Queues 5.3.0. The dependencies are from the generated WorkerExtensions.csproj.

Steps to reproduce

Use Functions.Worker.Sdk v1.17.4. Include Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues and create a function with a queue trigger. Build and inspect the generated WorkerExtensions.csproj dependencies, or run WAVE analysis to check for Component Governance alerts.

WAVE flags alerts for Azure.Identity and Microsoft.Identity.Client CVE-2024-35255.

surgupta-msft commented 3 months ago

The latest version of Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues 5.5.0 is updated with the latest Microsoft.Azure.WebJobs.Extensions.Storage.Queues 5.3.1. I tried the repro steps and WorkerExtensions.csproj generated correctly for me with the latest webjobs extension. Please let us know if you are seeing any discrepancies in validation.