search

Azure / azure-functions-vs-build-sdk

MSBuild task for Azure Functions
MIT License
96 stars 62 forks source link

Vulnerabilities in referenced packages #545

Closed racingcow closed 1 year ago

racingcow commented 2 years ago

Hello,

I'm using the latest version of microsoft.net.sdk.functions (4.1.0 at the time of this writing) to run Functions in Azure. I'm also using WhiteSource to help identify potential security vulnerabilities.

When running WhiteSource, I get the following vulnerabilities reported from these packages as shown below, each of which is referenced by the functions package.

Are there plans to release a new version of the microsoft.net.sdk.functions package to reference the upgraded versions of the insecure packages referenced below? If so, is there a target date for that?

system.net.http.4.3.0.nupkg

CVEs

Dependency chain...

microsoft.net.sdk.functions.4.1.0.nupkg ↓ microsoft.azure.webjobs.extensions.http.3.0.2.nupkg ↓ microsoft.aspnet.webapi.client.5.2.4.nupkg ↓ newtonsoft.json.bson.1.0.1.nupkg ↓ netstandard.library.1.6.1.nupkg ↓ system.net.http.4.3.0.nupkg

Recommendation

Upgrade system.net.http to 4.3.2.

system.text.regularexpressions.4.3.0.nupkg

CVEs

CVE-2019-0820

Dependency chain...

microsoft.net.sdk.functions.4.1.0.nupkg ↓ microsoft.azure.webjobs.extensions.http.3.0.2.nupkg ↓ microsoft.aspnet.webapi.client.5.2.4.nupkg ↓ newtonsoft.json.bson.1.0.1.nupkg ↓ netstandard.library.1.6.1.nupkg ↓ system.xml.xdocument.4.3.0.nupkg ↓ system.xml.readerwriter.4.3.0.nupkg ↓ system.text.regularexpressions.4.3.0.nupkg

Recommendation

Upgrade system.text.regularexpressions to version 4.3.1.

microsoft.aspnetcore.http.2.1.0.nupkg

CVEs

CVE-2020-1045

Dependency chain...

microsoft.net.sdk.functions.4.1.0.nupkg ↓ microsoft.azure.webjobs.extensions.http.3.0.2.nupkg ↓ microsoft.aspnetcore.http.2.1.0.nupkg

Recommendation

Update microsoft.aspnetcore.http to version 2.1.22.

apilosofms commented 2 years ago

Any update on this? It's causing CG issues which can't be fixed.

rsrinivasanhome commented 2 years ago

Any update on this issue ? when is it planned to be fixed ?

fowl2 commented 1 year ago

FYI. it appears that Microsoft.NET.Sdk.Functions 4.1.2 has been released on NuGet, with dependencies bumped.

(missing release notes is being tracked: https://github.com/Azure/azure-functions-vs-build-sdk/issues/512)

brettsam commented 1 year ago

Fixed with #581 and released in 4.1.2 as noted above.

jeffpuckett commented 1 year ago

This has not been fixed. Please see #608.