Open duncanp-sonar opened 2 years ago
andrei-epure-sonarsource
commented
2 years ago Regarding the second point, the pipeline is currently specifying a fixed three-part version for NuGet. If we used a two-part version with a wildcard, then the pipeline would automatically pick up security fixes without any additional work on our part.
This should be safe in terms of dependency confusion because we filter based on authors.
duncanp-sonar
commented
2 years ago This should be safe in terms of dependency confusion because we filter based on authors.
The filtering is done in the nuget.config file, isn't it? It looks like NuGetToolInstaller task doesn't look at the config file; it seems to be hard-coded to look at a specific URL to get the list of available versions. So it should be safe.
Description
Microsoft recently announced a CVE that affects current versions of NuGet. Patched versions are available.
Although the scanner pipeline is using a vulnerable version of NuGet, it is not directly impacted by the CVE as we do not push/publish packages from the pipeline.
However, there are two small improvements we could make: 1) stop using the affected version, since a patch is available, and 2) change the pipeline to use a wildcard when referencing the NuGet version.
Regarding the second point, the pipeline is currently specifying a fixed three-part version for NuGet. If we used a two-part version with a wildcard, then the pipeline would automatically pick up security fixes without any additional work on our part.