Open almegdad opened 5 days ago
To balance between the backward compatibility with security, deep investigation is needed. Here's some dependnecy chain info:
For JWT tokens:
For the unit test project, it looks like System.Net.Http/4.3.0 is brought in by NETStandard1.6:
That is reasonable to bump up xunit since there's no backward compatilibty concerns.
Bump up the targer version of applicaiton insights from 2.21 to 2.22 makes sense.
After the upgrade:
PS C:\Repos\fork-ai-k8s> dotnet list package --include-transitive --vulnerable
The following sources were used: https://api.nuget.org/v3/index.json
The given project ApplicationInsights.Kubernetes
has no vulnerable packages given the current sources.
The given project UnitTests
has no vulnerable packages given the current sources.
The given project ApplicationInsights.Kubernetes.HostingStartup
has no vulnerable packages given the current sources.
Describe the bug Transitive vulnerable packages needs to be upgraded for Microsoft.ApplicationInsights.Kubernetes and Microsoft.ApplicationInsights.Kubernetes.HostingStartup packages
Package Versions Application Insights Kubernetes Version: 7.0.0 Application Insights SDK Version: 7.0.0
To Reproduce Steps to reproduce the behavior: run command: dotnet list package --include-transitive --vulnerable
Project
ApplicationInsights.Kubernetes
has the following vulnerable packages [net6.0]: Transitive Package Resolved Severity Advisory URLProject
UnitTests
has the following vulnerable packages [net6.0]: Transitive Package Resolved Severity Advisory URLProject
ApplicationInsights.Kubernetes.HostingStartup
has the following vulnerable packages [net6.0]: Transitive Package Resolved Severity Advisory URLExpected behavior transitive vulnerable packages needs to be resolved.
Additional context to fix the issue: 1) Project:
ApplicationInsights.Kubernetes
upgradeKubernetesClient
package from version12.1.1
to13.0.11
2) Project:ApplicationInsights.Kubernetes.HostingStartup
upgradeMicrosoft.ApplicationInsights.AspNetCore
package from version2.21.0
to2.22.0
3) ProjectUnitTests
upgradexunit
andxunit.runner.visualstudio
from version2.4.*
to2.6.*