Open MarcoK80 opened 11 months ago
Taking a dependency on Microsoft.AspNetCore.Hosting v2.2.0 would resolve this issue, but would also break support for NetCore v2.1. Instead I'm taking a direct dependency on the fixed version Microsoft.AspNetCore.Http. We can remove this when NetCore v2.1 reaches EOL on August 21, 2021.
A comment inside Microsoft.ApplicationInsights.AspNetCore.csproj. Seems like the comment was long forgotten.
It is worth mentioning that there is vulnerability in: Microsoft.AspNetCore.Http.Features 2.1.1 Denial Of Service (DoS)
Workaround is to add explicit dependency on "Microsoft.AspNetCore.Http.Features" Version="5.0.17" which has no vulnerabilities and it fixes SCA scan issues (in my case).
Anyway, I would greatly appreciate an update on this ticket.
Hi @TimothyMothra
Any updates on this? Any ETA?
because Microsoft.AspNetCore.Http
package has vulnerability CVE-2020-1045
https://github.com/microsoft/ApplicationInsights-dotnet/issues/2199
We can remove this when NetCore v2.1 reaches EOL on August 21, 2021.
So any ETA?
Any update / plans on this @TimothyMothra ? I would expect the library to multi target Net6 and Net8 by now to include the proper AspNetCore framework dependencies instead of totally outdated Nuget refrences.
My team is using App insights in .NET Core for microservices for years now and with the lasted changes how Net6/8 references framework dependencies, it is really painful to include this Nuget package with all the old/outdated dlls which all end up in every service's bin / publish dir... And this is ignoring the fact that those old packages have security vulnerabilities now..
I have proposed changes just for Microsoft.ApplicationInsights.AspNetCore in the linked PR #2860.
I hope that @TimothyMothra will soon have time to review the changes and they will find a way to the main branch.
There is no code change, so no expected behavior change. Just the package references to Microsoft.AspNetCore.* are replaced with framework reference to Microsoft.AspNetCore.App.
ApplicationInsights.AspNetCore is targeted to netcoreapp3.1, although it is not supported anymore, but this way it will still be possible for any legacy applications running on .net 3.1 to use AI.
The test are passing.
Dotnet list package --outdated / --deprecated shows for the packages
Microsoft.ApplicationInsights.AspNetCore 2.21.0 Microsoft.ApplicationInsights.Profiler.AspNetCore 2.5.3 Microsoft.ApplicationInsights.Profiler.Core 2.5.3
outdated and if we update them deprecated packages Microsoft.AspNetCore.Hosting Microsoft.AspNetCore.Http
Is there any plan to migrate these packages to full .net core 7 or .net core 8 support?