search

RicoSuter / NSwag

The Swagger/OpenAPI toolchain for .NET, ASP.NET Core and TypeScript.
http://NSwag.org
MIT License
6.67k stars 1.23k forks source link

Update transitive Microsoft.AspNetCore dependencies in NSwag.Commands… #4716

Closed Numpsy closed 5 months ago

Numpsy commented 7 months ago

… to fix reported security vulnerabilities

refs #2824

Mend / Whitesource is complaining about libraries included in NSwag,MSBuild, but actually current Visual Studio versions will display warnings themselves in the package manager: image

olegd-superoffice commented 6 months ago

@RicoSuter These are transitive references, so in order to update they need to be referenced directly. They are flagged as vulnerable by .Net 8 SDK as well. Here's output of dotnet list package --vulnerable --include-transitive --framework net462:

Project `NSwag.Commands` has the following vulnerable packages
[net462]:
> Transitive Package                                         Resolved   Severity   Advisory URL
> Microsoft.AspNetCore.Http                                  2.1.1      High       https://github.com/advisories/GHSA-hxrm-9w7p-39cc
> Microsoft.AspNetCore.Server.Kestrel.Core                   2.1.3      High       https://github.com/advisories/GHSA-6px8-22w5-w334
                                                                        High       https://github.com/advisories/GHSA-242j-2gm6-5rwx
> Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets      2.1.3      High       https://github.com/advisories/GHSA-vmch-3w2x-vhgq
> System.Net.Http                                            4.3.0      High       https://github.com/advisories/GHSA-7jgj-8wvc-jh57
> System.Text.RegularExpressions                             4.3.0      High       https://github.com/advisories/GHSA-cmhx-cq75-c4mj

@Numpsy Microsoft.AspNetCore.* packages are referenced only for .Net 4.6.2 framework, but System.Net.Http and System.Text.RegularExpressions are referenced for all targets and probably should be referenced directly as well? Does Mend / Whitesource complain about these two?

Numpsy commented 6 months ago

I'm not seeing those listed at work currently in NSwag.MSBuild 14.0.2, and Mend does usually love to complain about the regex one. Thing with that one is that it's often not a real problem as most .NET versions have inbox versions that are newer and which take precedence over the old nuget packages, and as Mend is only looking at the binaries in this case and not the source, there might not be any issue for end users. We could still see about doing an update though.

Saying that though -

Those old libraries seem to be geting pulled in via transitive references to NETStandard.Library version 1.6.1, and you can sometimes avoid the issue and also greatly reduce the number of referenced nuget packages by updating NETStandard.Library to version 2.

Also -