Closed racingcow closed 1 year ago
Any update on this? It's causing CG issues which can't be fixed.
Any update on this issue ? when is it planned to be fixed ?
FYI. it appears that Microsoft.NET.Sdk.Functions 4.1.2 has been released on NuGet, with dependencies bumped.
(missing release notes is being tracked: https://github.com/Azure/azure-functions-vs-build-sdk/issues/512)
Fixed with #581 and released in 4.1.2 as noted above.
This has not been fixed. Please see #608.
Hello,
I'm using the latest version of microsoft.net.sdk.functions (4.1.0 at the time of this writing) to run Functions in Azure. I'm also using WhiteSource to help identify potential security vulnerabilities.
When running WhiteSource, I get the following vulnerabilities reported from these packages as shown below, each of which is referenced by the functions package.
Are there plans to release a new version of the microsoft.net.sdk.functions package to reference the upgraded versions of the insecure packages referenced below? If so, is there a target date for that?
system.net.http.4.3.0.nupkg
CVEs
Dependency chain...
microsoft.net.sdk.functions.4.1.0.nupkg ↓ microsoft.azure.webjobs.extensions.http.3.0.2.nupkg ↓ microsoft.aspnet.webapi.client.5.2.4.nupkg ↓ newtonsoft.json.bson.1.0.1.nupkg ↓ netstandard.library.1.6.1.nupkg ↓ system.net.http.4.3.0.nupkg
Recommendation
Upgrade system.net.http to 4.3.2.
system.text.regularexpressions.4.3.0.nupkg
CVEs
CVE-2019-0820
Dependency chain...
microsoft.net.sdk.functions.4.1.0.nupkg ↓ microsoft.azure.webjobs.extensions.http.3.0.2.nupkg ↓ microsoft.aspnet.webapi.client.5.2.4.nupkg ↓ newtonsoft.json.bson.1.0.1.nupkg ↓ netstandard.library.1.6.1.nupkg ↓ system.xml.xdocument.4.3.0.nupkg ↓ system.xml.readerwriter.4.3.0.nupkg ↓ system.text.regularexpressions.4.3.0.nupkg
Recommendation
Upgrade system.text.regularexpressions to version 4.3.1.
microsoft.aspnetcore.http.2.1.0.nupkg
CVEs
CVE-2020-1045
Dependency chain...
microsoft.net.sdk.functions.4.1.0.nupkg ↓ microsoft.azure.webjobs.extensions.http.3.0.2.nupkg ↓ microsoft.aspnetcore.http.2.1.0.nupkg
Recommendation
Update microsoft.aspnetcore.http to version 2.1.22.