Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies for security fixes #50

Open
victor-priceputu-tb opened this issue May 15, 2024 · 5 comments
Open

Update dependencies for security fixes #50

victor-priceputu-tb opened this issue May 15, 2024 · 5 comments

Comments

@victor-priceputu-tb
Copy link

Currently the package is dependent on NETStandard.Library@1.6.1 which by it's own dependencies generates security warnings (6 in total). Updating it to the current latest version v2.0.3 solves the security issues. A quick scan with Snyk can show this.

Can we get an update to resolve these issues?
@mchechulnikov
Copy link
Contributor

Hi @victor-priceputu-tb ,
Thank you for bringing this to our attention!
Could you please advise,

  • how do you use the TeamCity.VSTest.TestAdapter library?
  • what exactly do you scan with Snyk: TeamCity distribution or the library itself?

@victor-priceputu-tb
Copy link
Author

Hello, thank you for the quick reply.

We are using the library to output the test results in TeamCity, so we just execute dotnet test in our step.

For the scanning we check our project for packages that have security issues or dependencies that have security issues, nothing fancy. Besides the automates scanning that happens, we just run Snyk via Rider (the IDE) that just does a quick package scanning.

@mchechulnikov
Copy link
Contributor

mchechulnikov commented May 17, 2024
edited
Loading

We are using the library to output the test results in TeamCity, so we just execute dotnet test in our step.

Could you please clarify, are you using command line runner?

If so, please note that you could use the TeamCity .NET runner withtest command instead and you won't need to reference TeamCity.VSTest.TestAdapter to your project directly. It is considered as a main way of usage this package – implicitly via .NET runner. As far as I understand, it could solve the issue with a scanner for now until we update the package.

And if you don't use .NET runner, may I ask you why? That would be very helpful to us.
TeamCity .NET runner it's a part of bundled TeamCity .NET Support plugin and open sourced as well.

For the scanning we check our project for packages that have security issues or dependencies that have security issues

Could you please share the CVEs, links on Snyk or any other details that you found in connection with NETStadard.Library@1.6.1? It would help us a lot to estimate a severity

@victor-priceputu-tb
Copy link
Author

Hey, apologies for the late response. We are using the command line runner, yes.

I am not sure why it is set up like this, the infrastructure department sets these up. We have multiple projects in multiple languages so I guess it is to help have multiple agents that can run every project and minimise time where a pipeline is waiting for an agent.
The following vulnerabilities are introduces through the NETStandard.Library dependency:
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60045
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60046
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-72439
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60047
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTREGULAREXPRESSIONS-174708
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60048

@WGroenestein
Copy link

Another idea would be to add an explicit net8.0 TFM, so this NETStandard.Library dependency is not needed when using that TFM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mchechulnikov @WGroenestein @victor-priceputu-tb