search

microsoft / azure-pipelines-tasks

Tasks for Azure Pipelines
https://aka.ms/tfbuild
MIT License
3.49k stars 2.61k forks source link

[BUG]: Azure App Service Deploy task using the older version of 7zip, required to be use 18.0.0.0 or higher #19136

Open prafullakokadwar123 opened 1 year ago

prafullakokadwar123 commented 1 year ago

Task name

No response

Task version

No response

Environment type (Please select at least one enviroment where you face this issue)

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

windows 64

Task log

NA

Relevant log output

NA

Aditional info

Our infrastructure team has detected some high-vulnerability issues related to 7zip. We are executing a task in our pipeline called Azure App Service Deploy. Under this, we have an AzureRmWebAppDeployment task which contains 7zip executable and that is having an older version that is 16.0.0.0 and we require 18.0.0.0 or higher as per issue reported.
We have this CVE finding (CVE-2023-40481, CVE-2017-17969, CVE-2018-5996) against same issue for listed below various tasks.
For an example AzureRmWebAppDeployment task which is part of azure-pipelines-tasks-utility-common : https://www.npmjs.com/package/azure-pipelines-tasks-utility-common, 
Which is reported for lower version of 7zip. Along with this it should be fix for other below listed task as well so we should not get reported with new vulnerability. we already raised support tickets with Microsoft where we got to know that this should be reported on Github support to fix on priority. 

The fixing of this issue should be time bound since we can not carry the same vulnerability for longer period in our vm its should be fix in very high priority. 

List of tasks which are reported for 7zip tool contain lower version.

AzureRmWebAppDeployment
PowerShell
NuGetCommand
UseDotNet
DotNetCoreCLI
NuGetToolInstaller
FileTransform
Npm
AzurePowerShell
prafullakokadwar123 commented 1 year ago

@DmitriiBobreshev , @v-mohithgc , Hi team you please help us and provide the update on this issue this is impacting our security score, our VM will quarantine in next week, so please response as soon as possible on this issue.

DmitriiBobreshev commented 1 year ago

Hi @prafullakokadwar123, we're currently working on the tasks upgrading, but it takes some time since more tasks include 7zip version 16, as well as some npm packages

prafullakokadwar123 commented 12 months ago

@DmitriiBobreshev Thank you for responding. List of tasks which are reported for 7zip tool contain lower version. so please update to 23.0.0 or the latest version of 7zip.

  1. AzureRmWebAppDeployment
  2. PowerShell
  3. NuGetCommand
  4. UseDotNet
  5. DotNetCoreCLI
  6. NuGetToolInstaller
  7. FileTransform
  8. Npm
  9. AzurePowerShell
DmitriiBobreshev commented 11 months ago

Hi, @prafullakokadwar123, the tasks which own akvelon-build-task team are fixed(e.g. Powershell) and will be rolled out soon. Pinging @v-mohithgc as a task owner of a bunch of the tasks

kmarkus93 commented 11 months ago

Is there any new information for the FileTransform@1 Task? we also need the new version of 7zip

v-mohithgc commented 11 months ago

Hi, for now the below tasks has the upgraded version of 7zip and is shipped with version 231.

AzureRmWebAppDeploymentV4 PowerShell NuGetCommand UseDotNet NuGetToolInstaller FileTransformV1 Npm AzurePowerShell

prafullakokadwar123 commented 11 months ago

@v-mohithgc I have run the task pipeline and seen that the upgraded version for 7zip is 19.0.0.0, but we are discussing 23.0.0.0 or higher, could you please provide latest upgraded version 23.0.0.0 or higher for all above task?

v-mohithgc commented 11 months ago

@v-mohithgc I have run the task pipeline and seen that the upgraded version for 7zip is 19.0.0.0, but we are discussing 23.0.0.0 or higher, could you please provide latest upgraded version 23.0.0.0 or higher for all above task?

Hi, on which task are you seeing the 7zip version as 19.0.0? can you please let us know the task version of your latest run (eg 4.230.0 etc)

prafullakokadwar123 commented 11 months ago

Hi, on which task are you seeing the 7zip version as 19.0.0? can you please let us know the task version of your latest run (eg 4.230.0 etc)

Hi @v-mohithgc The task name is AzureRmWebAppDeployment and PowerShell, and the version is 4.231.0.

kmarkus93 commented 11 months ago

Anybody have an idea how to force the agent to download the newest version? only getting the old 1.220.0 version form the FileTransform@1 Task. Have deleted the files in _tasks but only getting the old version

v-mohithgc commented 11 months ago

Hi, on which task are you seeing the 7zip version as 19.0.0? can you please let us know the task version of your latest run (eg 4.230.0 etc)

Hi @v-mohithgc The task name is AzureRmWebAppDeployment and PowerShell, and the version is 4.231.0.

7zip upgrade for AzureRmWebAppDeployment is shipped with version 4.231.8 and for powershell task it's shipped with vesion 2.231.0.

ig the latest version hasn't reached your region yet, might need to wait for couple of more day.

v-mohithgc commented 11 months ago

Anybody have an idea how to force the agent to download the newest version? only getting the old 1.220.0 version form the FileTransform@1 Task. Have deleted the files in _tasks but only getting the old version

Hi, you cannot force push the latest version, you need to wait for new version to be deployed on all regions.

v-mohithgc commented 10 months ago

Hi all, the tasks listed below has the updated 7zip version, all of them has been shipped with version 231 and 232.

AzureRmWebAppDeployment PowerShell NuGetCommand UseDotNet DotNetCoreCLI NuGetToolInstaller FileTransform Npm AzurePowerShell

prafullakokadwar123 commented 10 months ago

Hi @v-mohithgc I have run the task pipeline and seen that the upgraded version for 7zip is 19.0.0.0, but we are discussing 23.0.0.0 or higher. Below the task name and version I have check AzureRmWebAppDeployment :- 231 PowerShell :- 232

AzureRmWebAppDeployment PowerShell NuGetCommand UseDotNet DotNetCoreCLI NuGetToolInstaller FileTransform Npm AzurePowerShell

could you please provide latest upgraded version 23.0.0.0 or higher for all above task?

flegault-ext commented 6 months ago

Hi, any news on the update of 7zip ours is also being flagged by the outdated version (19)

our task is IISWebAppDeploymentOnMachineGroup

Thanks

github-actions[bot] commented 3 days ago

This issue is stale because it has been open for 180 days with no activity. Remove the stale label or comment on the issue otherwise this will be closed in 5 days