Added Check-CsprojVulnerabilities.ps1 to ensure that the dependencies of the worker, unit test, and E2E test projects are up-to-date.
Introduced a new stage in the pipeline named Check for security vulnerabilities that invokes Check-CsprojVulnerabilities.ps1.
Upgraded dependencies with vulnerabilities in the unit test and E2E test projects.
Below is a screenshot of the new stage in the pipeline.
If vulnerabilities are found, the user can run Check-CsprojVulnerabilities.ps1 -PrintReport locally to see which packages need to be upgraded.
PS E:\GH\azure-functions-powershell-worker> .\Check-CsprojVulnerabilities.ps1 -PrintReport
Analyzing 'E:\GH\azure-functions-powershell-worker/src/Microsoft.Azure.Functions.PowerShellWorker.csproj' for vulnerabilities...
Determining projects to restore...
All projects are up-to-date for restore.
No vulnerabilities found
Analyzing 'E:\GH\azure-functions-powershell-worker/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj' for vulnerabilities...
Determining projects to restore...
All projects are up-to-date for restore.
No vulnerabilities found
Analyzing 'E:\GH\azure-functions-powershell-worker/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj' for vulnerabilities...
Determining projects to restore...
All projects are up-to-date for restore.
Vulnerabilities found!
The following sources were used:
https://api.nuget.org/v3/index.json
https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json
https://azfunc.pkgs.visualstudio.com/e6a70c92-4128-439f-8012-382fe78d6396/_packaging/AzureFunctions%40internalrelease/nuget/v3/index.json
https://azfunc.pkgs.visualstudio.com/e6a70c92-4128-439f-8012-382fe78d6396/_packaging/AzureFunctions%40staging/nuget/v3/index.json
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\
Project `Azure.Functions.PowerShellWorker.E2E` has the following vulnerable packages
[net8.0]:
Transitive Package Resolved Severity Advisory URL
> System.Net.Http 4.3.0 High https://github.com/advisories/GHSA-7jgj-8wvc-jh57
> System.Text.RegularExpressions 4.3.0 High https://github.com/advisories/GHSA-cmhx-cq75-c4mj
PS E:\GH\azure-functions-powershell-worker>
Pull request checklist
[x] My changes do not require documentation changes
[ ] Otherwise: Documentation issue linked to PR
[x] My changes should not be added to the release notes for the next release
[ ] Otherwise: I've added my notes to release_notes.md
[ ] My changes do not need to be backported to a previous version
[ ] Otherwise: Backport tracked by issue/PR #issue_or_pr
[ ] I have added all required tests (Unit tests, E2E tests)
Issue describing the changes in this PR
Resolves https://github.com/Azure/azure-functions-powershell-worker/issues/1023
This PR contains the following changes:
Check-CsprojVulnerabilities.ps1
to ensure that the dependencies of the worker, unit test, and E2E test projects are up-to-date.Check-CsprojVulnerabilities.ps1
.Below is a screenshot of the new stage in the pipeline.
If vulnerabilities are found, the user can run
Check-CsprojVulnerabilities.ps1 -PrintReport
locally to see which packages need to be upgraded.Pull request checklist
release_notes.md
Additional information
Additional PR information