RefaelP23
commented
6 days ago I'm surprised this issue hasn't even been addressed.
We too wanted to upgrade from the Serilog.Formatting.Elasticsearch NuGet to the new Elastic.CommonSchema.Serilog but can't because these deprecated dependencies fail the vulnerability scan.
ECS integration/library project(s) (e.g. Elastic.CommonSchema.Serilog): Elastic.CommonSchema.Serilog
ECS schema version (e.g. 1.4.0): 8.6.1 (but also older ones)
ECS .NET assembly version (e.g. 1.4.2): 8.6.1 (but also older ones)
Elasticsearch version (if applicable): n/a
.NET framework / OS: net6.0
Description of the problem, including expected versus actual behavior:
Elastic.CommonSchema.Serilog contains a couple extension methods that add HTTP context to the Serilog structured log properties. It uses the IHttpContextAccessor interface to do this for .net standard and .net core. However, the IHttpContextAccessor interface is only available in the aspnetcore framework, not in dotnet standard, and not available in a nuget package. In the distant past, there actually WAS a nuget package for this: https://www.nuget.org/packages/Microsoft.AspNetCore.Http.Abstractions. However, these packages have long since been deprecated, and they pull in transitive dependencies that are full of vulnerabilities, such as System.Text.Encodings.Web (version 4.5).
In today's modern development, many organizations have nuget proxies that scan for vulnerabilities and prevent packages with severe vulnerabilities from being pulled by package managers. Nexus-IQ is one such tool.
Our workaround is to explicitly reference a newer version of System.Text.Encodings.Web, and causes the nuget dependency resolver to only pull the newer version.
Steps to reproduce: Assumption: There is a mechanism in place that prevents pulling the System.Text.Encodings.Web (version 4.5) nuget package.
In our minds, because the Elastic.CommonSchema.Serilog project references deprecated nuget package, it is not truly netstandard compatible. However, we realize targeting only net6.0, etc... would be problematic for netstandard libraries. Our proposal is the following:
Split the classes referencing IHttpContextAccessor into another project (called Elastic.CommonSchema.Serilog.AspNetCore?), and this new project would only target .net FW and .net core. Any assembly consuming this new package would be inherently an aspnetcore project, so it should cause no problems. Only the correct version of the System.Text.Encodings.Web package will be pulled.