Closed TimothyMothra closed 5 years ago
I think standard SDL check is not clever enough. So what happens is:
now this SDL check forces us to add a dependency to the library we don't use or need in logging. I'm not sure if we can do anything here: like is SDL check has some help or owner that can help to clarify if this is the right approach?
Thank you for the explanation. Let me verify that this resolve the alerting rule for all repos. Then I can re-review the guidance or reach out to decide if this is the "best" solution. :)
By the way, next base 2.11-beta1 will force system.net.htpp to 4.3.4 and this PR is likely not needed
I created a build of latest Base SDK and verified that it fixes the issues in Logging SDK. It does! :) I think we can close this issue. Thanks @lmolkova
taking an explicit dependency on System.Net.Http will override any implicit dependencies.
I'm trying to copy @lmolkova's solution from here: https://github.com/microsoft/ApplicationInsights-dotnet/pull/1147
Confirmed that this fixes the security scan.