Update BouncyCastle dependency

aws / amazon-s3-encryption-client-dotnet

An encryption client that allows you to secure your sensitive data before you send it to Amazon S3.

https://aws.github.io/amazon-s3-encryption-client-dotnet/

Apache License 2.0

14 stars 10 forks source link

Update BouncyCastle dependency #55

Closed simenstensas closed 2 months ago

simenstensas commented 3 months ago

Describe the bug

Please remove BouncyCastle dependency and replace it with BouncyCastle.Cryptography v2.4.0

See: https://github.com/advisories/GHSA-8xfc-gm6g-vgpv

Expected Behavior

Works as intended

Current Behavior

Outdated dependency

Reproduction Steps

Nothing to write

Possible Solution

Changing dependency to BouncyCastle.Cryptography and solving possible breaking changes.

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

AWSSDK.* 3.7.400.5

Targeted .NET Platform

.NET 6

Operating System and version

Windows 11

bhoradc commented 3 months ago

Hello @simenstensas,

Thank you for reporting this issue. In S3 Encryption Client for .NET library, the BouncyCastle dependency is used when TargetFramework is .NET 3.5 alone, for others it's using the Portable.BouncyCastle package - Reference link.

We shall get rid of the BouncyCastle package, when we update this library for the V4 effort, where .NET Framework 3.5 target would been removed.

Regards, Chaitanya

simenstensas commented 3 months ago

Hi @bhoradc,

I understand. When can we expect a V4 release? Any timeline?

normj commented 3 months ago

@simenstensas I can't give an expected release for V4 because we always have lots of competing tasks supporting all AWS services. The first preview of V4 went out last week and the intention is for V4 to have a relatively short dev cycle to get to GA state.

simenstensas commented 2 months ago

@bhoradc Will Portable.BouncyCastle dependency be removed as a part of V4 as well?

normj commented 2 months ago

@simenstensas Yes all targets will use BouncyCastle.Cryptography in v4. We have shipped 3.0.0-preview.1 of the package that targets V4 of the SDK and uses BouncyCastle.Cryptography.

normj commented 2 months ago

I'm closing the issue because we have made the switch to BouncyCastle.Cryptography for V4 and have released a preview version. You can track the progress of V4 going GA by subscribing to the following V4 tracking issue.

https://github.com/aws/aws-sdk-net/issues/3362

github-actions[bot] commented 2 months ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.