Referencing a vulnerable version of Azure.Identity

[WodeCraft]

Bug Report / Support Request Template

If you are opening a feature request, you can ignore this template. Bug reports and requests for assistance usually require the same basic information described below. This will help us more quickly reproduce and investigate the problem you're reporting. (If you are using Serilog.Sinks.MSSqlServerCore, that package is deprecated, please switch to Serilog.Sinks.MSSqlServer before reporting an issue.)

Please clearly describe what the SQL Sink is doing incorrectly: The sink is referencing a vulnerable version of Azure.Identity which results in a high vulnerability score for my project

Please clearly describe the expected behavior: The sink needs to be updated to use a newer version (10.x.x) of the package The error can be seen by using the dotnet list tool:

dotnet list package --vulnerable --include-transitive

List the names and versions of all Serilog packages used in the project:

• Serilog: 3.1.1
• Serilog.Sinks.MSSqlServer: 6.5.0
• (configuration, etc.)

Target framework and operating system:

[x] .NET 8 [ ] .NET 6 [ ] .NET Framework 4.8 [ ] .NET Framework 4.7 [ ] .NET Framework 4.6 OS: Windows

[ckadluba]

Hi @WodeCraft and sorry for the late late answer.

Thank you for reporting this. I just checked with the latest version of the MSSQL sink and the vulnerability is not present anymore.

Azure.Identity is referenced in the MSSQL sink indirectly via Microsoft.Data.SqlClient package. Currently we use Microsoft.Data.SqlClient 5.1.5 which does not include a vulnerable Azure.Identity version anymore. We updated the SqlClient package several times to fix other vulnerabilities it had (for instance in releases 6.5.1 and 6.5.2 of the MSSQL sink). Perhaps Azure.Identity was also updated in those versions which fixed the vulberability reported in this issue.

Since the vulnerablility is not present in the latest version, I will close this issue.