search

DynamicsValue / fake-xrm-easy

FakeXrmEasy: The Test Automation Framework for the Power Platform / Dataverse
https://dynamicsvalue.github.io/fake-xrm-easy-docs/why/
Other
25 stars 12 forks source link

Library dependency on Microsoft.IdentityModel.Clients.ActiveDirectory dependency #160

Open SarviH opened 2 weeks ago

SarviH commented 2 weeks ago

I am using FakeXRMEasy.v9 to unit test plugins in Dynamics 365. the plugins are on .NetFramework v4.6.2 so I need to use FakeXrmEasy.v9 2.4.2. This version has a dependency on Micrososft.CrmSdk.XrmTooling.CoreAssembly and unfortunately CoreAssembly has dependency on Microsoft.IdentityModel.Clients.ActiveDirectory which is deprecated. This cause vulnerability issues in my SonarQube scan. Have you ever seen this problem before? can you help me to solve this please ?

jordimontana82 commented 2 weeks ago

Hi @SarviH

I see, that dependency is a transitive dependency that is is not directly referenced by FakeXrmEasy but Microsoft's XrmTooling package as you said.

I checked it again and the latest version is still using it https://www.nuget.org/packages/Microsoft.CrmSdk.XrmTooling.CoreAssembly/.

I would suggest raising it with Microsoft and maybe add a specific rule in SonarQube so it would exclude that package in the meantime.

I'll also revisit that dependency, I think XrmTooling is mostly used by the XrmRealContext class, which uses a CrmServiceClient client behind the scenes for integration testing pursposes.

If you're not using it I think this is relatively low risk and safe to ignore.

For client apps we have FakeXrmEasy v3.x versions that don't use that package but the latest DataverseClient too.

What do you think?

SarviH commented 1 week ago

Hello @jordimontana82 thanks for your follow up. as you said v3 works for DataverseClient which is for .NetCore, our plugin projects are on .NetFramework 4.6.2 so we can't use v3 :/

jordimontana82 commented 1 week ago

@SarviH as a workaround for the next release, we can revisit this and split any dependency to XrmTooling to a separate package. This would allow you using the FakeXrmEasy.Plugins.v9 package without that dependency. But for the time being this is a vulnerability flagged in the MS package.

SarviH commented 1 week ago

Hello @jordimontana82, That's the best news ever! Could you please let me know when the next release is? This change will have a great impact on our decision on using FakeXRMEasy. I appreciate your help :)