sdl fix system.net.http

microsoft / ApplicationInsights-dotnet-logging

.NET Logging adaptors

106 stars 49 forks source link

sdl fix system.net.http #291

Closed TimothyMothra closed 5 years ago

TimothyMothra commented 5 years ago

taking an explicit dependency on System.Net.Http will override any implicit dependencies.

I'm trying to copy @lmolkova's solution from here: https://github.com/microsoft/ApplicationInsights-dotnet/pull/1147

Confirmed that this fixes the security scan.

lmolkova commented 5 years ago

I think standard SDL check is not clever enough. So what happens is:

our lib depends on .NET Core library 1.6.1 and does not depend on Http
.NET Core lib depends on System.Net.Http >= 4.3.0
If app needs http, it's app responsibility to install a non-vulnerable version.

now this SDL check forces us to add a dependency to the library we don't use or need in logging. I'm not sure if we can do anything here: like is SDL check has some help or owner that can help to clarify if this is the right approach?

TimothyMothra commented 5 years ago

Thank you for the explanation. Let me verify that this resolve the alerting rule for all repos. Then I can re-review the guidance or reach out to decide if this is the "best" solution. :)

lmolkova commented 5 years ago

By the way, next base 2.11-beta1 will force system.net.htpp to 4.3.4 and this PR is likely not needed

TimothyMothra commented 5 years ago

I created a build of latest Base SDK and verified that it fixes the issues in Logging SDK. It does! :) I think we can close this issue. Thanks @lmolkova