search

DynamicsValue / fake-xrm-easy

FakeXrmEasy: The Test Automation Framework for the Power Platform / Dataverse
https://dynamicsvalue.github.io/fake-xrm-easy-docs/why/
Other
26 stars 12 forks source link

Library dependency on Microsoft.IdentityModel.Clients.ActiveDirectory dependency #160

Open SarviH opened 2 months ago

SarviH commented 2 months ago

I am using FakeXRMEasy.v9 to unit test plugins in Dynamics 365. the plugins are on .NetFramework v4.6.2 so I need to use FakeXrmEasy.v9 2.4.2. This version has a dependency on Micrososft.CrmSdk.XrmTooling.CoreAssembly and unfortunately CoreAssembly has dependency on Microsoft.IdentityModel.Clients.ActiveDirectory which is deprecated. This cause vulnerability issues in my SonarQube scan. Have you ever seen this problem before? can you help me to solve this please ?

jordimontana82 commented 2 months ago

Hi @SarviH

I see, that dependency is a transitive dependency that is is not directly referenced by FakeXrmEasy but Microsoft's XrmTooling package as you said.

I checked it again and the latest version is still using it https://www.nuget.org/packages/Microsoft.CrmSdk.XrmTooling.CoreAssembly/.

I would suggest raising it with Microsoft and maybe add a specific rule in SonarQube so it would exclude that package in the meantime.

I'll also revisit that dependency, I think XrmTooling is mostly used by the XrmRealContext class, which uses a CrmServiceClient client behind the scenes for integration testing pursposes.

If you're not using it I think this is relatively low risk and safe to ignore.

For client apps we have FakeXrmEasy v3.x versions that don't use that package but the latest DataverseClient too.

What do you think?

SarviH commented 2 months ago

Hello @jordimontana82 thanks for your follow up. as you said v3 works for DataverseClient which is for .NetCore, our plugin projects are on .NetFramework 4.6.2 so we can't use v3 :/

jordimontana82 commented 2 months ago

@SarviH as a workaround for the next release, we can revisit this and split any dependency to XrmTooling to a separate package. This would allow you using the FakeXrmEasy.Plugins.v9 package without that dependency. But for the time being this is a vulnerability flagged in the MS package.

SarviH commented 2 months ago

Hello @jordimontana82, That's the best news ever! Could you please let me know when the next release is? This change will have a great impact on our decision on using FakeXRMEasy. I appreciate your help :)

SarviH commented 3 weeks ago

Hello @jordimontana82 , I hope you’re doing great. Any news on this library dependency for us ? I think we are officially going to use FakeXRMEasy on new year. Please keep me posted on this subject. Thanks a lot and have a nice week :)

jordimontana82 commented 2 weeks ago

@SarviH sorry for the delay on this. Yes, it has been already done in the dev branch, will hopefully be promoted to live soon.