Open victor-priceputu-tb opened 6 months ago
Hi @victor-priceputu-tb , Thank you for bringing this to our attention! Could you please advise,
Hello, thank you for the quick reply.
We are using the library to output the test results in TeamCity, so we just execute dotnet test
in our step.
For the scanning we check our project for packages that have security issues or dependencies that have security issues, nothing fancy. Besides the automates scanning that happens, we just run Snyk via Rider (the IDE) that just does a quick package scanning.
We are using the library to output the test results in TeamCity, so we just execute dotnet test in our step.
Could you please clarify, are you using command line runner?
If so, please note that you could use the TeamCity .NET runner withtest
command instead and you won't need to reference TeamCity.VSTest.TestAdapter
to your project directly. It is considered as a main way of usage this package – implicitly via .NET runner. As far as I understand, it could solve the issue with a scanner for now until we update the package.
And if you don't use .NET runner, may I ask you why? That would be very helpful to us. TeamCity .NET runner it's a part of bundled TeamCity .NET Support plugin and open sourced as well.
For the scanning we check our project for packages that have security issues or dependencies that have security issues
Could you please share the CVEs, links on Snyk or any other details that you found in connection with NETStadard.Library@1.6.1
? It would help us a lot to estimate a severity
Hey, apologies for the late response. We are using the command line runner, yes.
I am not sure why it is set up like this, the infrastructure department sets these up. We have multiple projects in multiple languages so I guess it is to help have multiple agents that can run every project and minimise time where a pipeline is waiting for an agent.
The following vulnerabilities are introduces through the NETStandard.Library
dependency:
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60045
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60046
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-72439
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60047
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTREGULAREXPRESSIONS-174708
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60048
Another idea would be to add an explicit net8.0 TFM, so this NETStandard.Library dependency is not needed when using that TFM
And if you don't use .NET runner, may I ask you why? That would be very helpful to us.
FWIW - you can't use the .NET runner when you build docker containers and perform tests as part of the image build. You then have to use the adapter package to output console logs from the container build process in a way TeamCity can pick up to assemble test result logs.
Currently the package is dependent on
NETStandard.Library@1.6.1
which by it's own dependencies generates security warnings (6 in total). Updating it to the current latest version v2.0.3 solves the security issues. A quick scan with Snyk can show this.Can we get an update to resolve these issues?