search

SpecFlowOSS / SpecFlow

#1 .NET BDD Framework. SpecFlow automates your testing & works with your existing code. Find Bugs before they happen. Behavior Driven Development helps developers, testers, and business representatives to get a better understanding of their collaboration
https://www.specflow.org/
Other
2.24k stars 754 forks source link

Specflow v 3.9.74 is vulnerable to WS-2022-0161 #2694

Closed ebjornset closed 1 year ago

ebjornset commented 1 year ago

SpecFlow Version

3.9.74

Which test runner are you using?

xUnit

Test Runner Version Number

3.9.74

.NET Implementation

.NET 6.0

Project Format of the SpecFlow project

Sdk-style project format

.feature.cs files are generated using

SpecFlow.Tools.MsBuild.Generation NuGet package

Test Execution Method

Visual Studio Test Explorer

SpecFlow Section in app.config or content of specflow.json

{ "$schema": "https://specflow.org/specflow-config.json", "allowDebugGeneratedFiles": true, "livingDocGenerator": { "enabled": true, "filepath": ".specflow.livingdoc.data.json" }, "stepAssemblies": [ { "assembly": "DryGen.DevUtils" } ] }

Issue Description

We uses SpecFlow to write our tests, and are quite happy with it. We also uses Bolt Mend as a Github check and it suddenly reported that specflow.tools.msbuild.generation.3.9.74.nupkg is vulnerable to WS-2022-0161, with a link to this Github commit in Newtonsoft.Json https://github.com/JamesNK/Newtonsoft.Json/commit/7e77bbe1beccceac4fc7b174b53abfefac278b66. So our PR build is failing at the moment.

From what I can see the security issue is caused by the dependency to Microsoft.Extensions.DependencyModel v 1.0.3 in SpecFlow it self, since this version is dependent on Newtonsoft.Json v9.0.1.

I've noticed that you've updated the version in the dependency to Microsoft.Extensions.DependencyModel in v4.0.7-beta, but when I upgraded I got a warning that the SpecFlow version is out of range due to us also using the SpecFlow.Plus.LivingDocPlugin v 3.9.57 (the latest I can find on Nuget).

I don't think WS-2022-0161 is a real issue for us, since SpecFlow is only used for our test. The problem is that the Bolt Mend Github check prevent us from merging new PRs without using SpecFlow v4.0.7-beta. But when using this version we get the version range warnings.

So the question is if there will be a new SpecFlow v3.x where the version of the Microsoft.Extensions.DependencyModel dependency is bumped, or if there will be a new SpecFlow.Plus.LivingDocPlugin version that depends on SpecFlow v4.x soon?

Steps to Reproduce

I guess you'll need a Github-project where the Mend Bolt check is enabled that references specflow.tools.msbuild.generation v3.9.74. When you create a PR in this repo the check should fail.

You can look at our report from the check that failed our last PR here: https://github.com/ebjornset/DryGen/pull/54/checks?check_run_id=11283496811

Link to Repro Project

No response

SabotageAndi commented 1 year ago

This issue was reported already in the past: https://github.com/SpecFlowOSS/SpecFlow/issues/2609

No, there will be no 3.x version with an updated dependency as updating it needed a lot of additional changes. As we depend on it with a >=, you can simply update the package manually in your project.

github-actions[bot] commented 1 year ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.