search

microsoft / ApplicationInsights-Kubernetes

Enrich the telemetry data for .NET applications running inside containers that are managed by Kubernetes.
Other
135 stars 57 forks source link

Transitive vulnerable dependencies v7.0.0 #365

Open almegdad opened 5 days ago

almegdad commented 5 days ago

Describe the bug Transitive vulnerable packages needs to be upgraded for Microsoft.ApplicationInsights.Kubernetes and Microsoft.ApplicationInsights.Kubernetes.HostingStartup packages

Package Versions Application Insights Kubernetes Version: 7.0.0 Application Insights SDK Version: 7.0.0

To Reproduce Steps to reproduce the behavior: run command: dotnet list package --include-transitive --vulnerable

Project ApplicationInsights.Kubernetes has the following vulnerable packages [net6.0]: Transitive Package Resolved Severity Advisory URL

Microsoft.IdentityModel.JsonWebTokens 7.0.0 Moderate https://github.com/advisories/GHSA-59j7-ghrg-fj52 System.IdentityModel.Tokens.Jwt 7.0.0 Moderate https://github.com/advisories/GHSA-59j7-ghrg-fj52

Project UnitTests has the following vulnerable packages [net6.0]: Transitive Package Resolved Severity Advisory URL

Microsoft.IdentityModel.JsonWebTokens 7.0.0 Moderate https://github.com/advisories/GHSA-59j7-ghrg-fj52 System.IdentityModel.Tokens.Jwt 7.0.0 Moderate https://github.com/advisories/GHSA-59j7-ghrg-fj52 System.Net.Http 4.3.0 High https://github.com/advisories/GHSA-7jgj-8wvc-jh57 System.Text.RegularExpressions 4.3.0 High https://github.com/advisories/GHSA-cmhx-cq75-c4mj

Project ApplicationInsights.Kubernetes.HostingStartup has the following vulnerable packages [net6.0]: Transitive Package Resolved Severity Advisory URL

Microsoft.IdentityModel.JsonWebTokens 7.0.0 Moderate https://github.com/advisories/GHSA-59j7-ghrg-fj52 System.Drawing.Common 4.7.0 Critical https://github.com/advisories/GHSA-rxg9-xrhp-64gj System.IdentityModel.Tokens.Jwt 7.0.0 Moderate https://github.com/advisories/GHSA-59j7-ghrg-fj52

Expected behavior transitive vulnerable packages needs to be resolved.

Additional context to fix the issue: 1) Project: ApplicationInsights.Kubernetes upgrade KubernetesClient package from version 12.1.1 to 13.0.11 2) Project: ApplicationInsights.Kubernetes.HostingStartup upgrade Microsoft.ApplicationInsights.AspNetCore package from version 2.21.0 to 2.22.0 3) Project UnitTests upgrade xunit and xunit.runner.visualstudio from version 2.4.*to 2.6.*

xiaomi7732 commented 1 day ago

To balance between the backward compatibility with security, deep investigation is needed. Here's some dependnecy chain info:

For JWT tokens: image

xiaomi7732 commented 1 day ago

For the unit test project, it looks like System.Net.Http/4.3.0 is brought in by NETStandard1.6: image That is reasonable to bump up xunit since there's no backward compatilibty concerns.

xiaomi7732 commented 1 day ago

Bump up the targer version of applicaiton insights from 2.21 to 2.22 makes sense.

xiaomi7732 commented 1 day ago

After the upgrade:

PS C:\Repos\fork-ai-k8s> dotnet list package --include-transitive --vulnerable

The following sources were used: https://api.nuget.org/v3/index.json

The given project ApplicationInsights.Kubernetes has no vulnerable packages given the current sources. The given project UnitTests has no vulnerable packages given the current sources. The given project ApplicationInsights.Kubernetes.HostingStartup has no vulnerable packages given the current sources.