Open victor-priceputu-tb opened 3 months ago
mchechulnikov
commented
3 months ago Hi @victor-priceputu-tb , Thank you for bringing this to our attention! Could you please advise,
victor-priceputu-tb
commented
3 months ago Hello, thank you for the quick reply.
We are using the library to output the test results in TeamCity, so we just execute dotnet test in our step.
For the scanning we check our project for packages that have security issues or dependencies that have security issues, nothing fancy. Besides the automates scanning that happens, we just run Snyk via Rider (the IDE) that just does a quick package scanning.
mchechulnikov
commented
3 months ago We are using the library to output the test results in TeamCity, so we just execute dotnet test in our step.
Could you please clarify, are you using command line runner?
If so, please note that you could use the TeamCity .NET runner withtest command instead and you won't need to reference TeamCity.VSTest.TestAdapter to your project directly. It is considered as a main way of usage this package – implicitly via .NET runner. As far as I understand, it could solve the issue with a scanner for now until we update the package.
And if you don't use .NET runner, may I ask you why? That would be very helpful to us. TeamCity .NET runner it's a part of bundled TeamCity .NET Support plugin and open sourced as well.
For the scanning we check our project for packages that have security issues or dependencies that have security issues
Could you please share the CVEs, links on Snyk or any other details that you found in connection with NETStadard.Library@1.6.1? It would help us a lot to estimate a severity
victor-priceputu-tb
commented
2 months ago Hey, apologies for the late response. We are using the command line runner, yes.
I am not sure why it is set up like this, the infrastructure department sets these up. We have multiple projects in multiple languages so I guess it is to help have multiple agents that can run every project and minimise time where a pipeline is waiting for an agent.
The following vulnerabilities are introduces through the NETStandard.Library dependency:
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60045
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60046
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-72439
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60047
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTREGULAREXPRESSIONS-174708
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60048
WGroenestein
commented
1 month ago Another idea would be to add an explicit net8.0 TFM, so this NETStandard.Library dependency is not needed when using that TFM
Currently the package is dependent on
NETStandard.Library@1.6.1which by it's own dependencies generates security warnings (6 in total). Updating it to the current latest version v2.0.3 solves the security issues. A quick scan with Snyk can show this.Can we get an update to resolve these issues?