Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable NuGetAudit #34650

Merged
merged 1 commit into from
Sep 16, 2024
Merged

Enable NuGetAudit #34650

merged 1 commit into from
Sep 16, 2024
+4 −0

Conversation

AndriySvyryd
Copy link
Member

Filed #34649

@AndriySvyryd AndriySvyryd requested a review from a team September 10, 2024 17:59
@AndriySvyryd
Copy link
Member Author

@ViktorHofer @joperezr Any tips on how to avoid the new warnings becoming errors?

@ericstj ericstj mentioned this pull request Sep 11, 2024
Open
29 tasks
@ericstj
Copy link
Member

ericstj commented Sep 11, 2024
edited
Loading

Here's the set of warnings: ``` C:\src\dotnet\efcore\src\EFCore.Design\EFCore.Design.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\ef.Tests\ef.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\ef.Tests\ef.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.SqlServer.HierarchyId.Tests\EFCore.SqlServer.HierarchyId.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.SqlServer.FunctionalTests\EFCore.SqlServer.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.VisualBasic.FunctionalTests\EFCore.VisualBasic.FunctionalTests.vbproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.SqlServer.FunctionalTests\EFCore.SqlServer.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.VisualBasic.FunctionalTests\EFCore.VisualBasic.FunctionalTests.vbproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.InMemory.FunctionalTests\EFCore.InMemory.FunctionalTests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.InMemory.FunctionalTests\EFCore.InMemory.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.FSharp.FunctionalTests\EFCore.FSharp.FunctionalTests.fsproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.FSharp.FunctionalTests\EFCore.FSharp.FunctionalTests.fsproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.AspNet.InMemory.FunctionalTests\EFCore.AspNet.InMemory.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-55p7-v223-x366 C:\src\dotnet\efcore\test\EFCore.AspNet.InMemory.FunctionalTests\EFCore.AspNet.InMemory.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-ff4q-64jc-gx98 C:\src\dotnet\efcore\test\EFCore.AspNet.InMemory.FunctionalTests\EFCore.AspNet.InMemory.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'Microsoft.IdentityModel.JsonWebTokens' 5.6.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 C:\src\dotnet\efcore\test\EFCore.AspNet.InMemory.FunctionalTests\EFCore.AspNet.InMemory.FunctionalTests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.AspNet.InMemory.FunctionalTests\EFCore.AspNet.InMemory.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'System.IdentityModel.Tokens.Jwt' 5.6.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 C:\src\dotnet\efcore\test\EFCore.AspNet.InMemory.FunctionalTests\EFCore.AspNet.InMemory.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.AspNet.Specification.Tests\EFCore.AspNet.Specification.Tests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-55p7-v223-x366 C:\src\dotnet\efcore\test\EFCore.AspNet.Specification.Tests\EFCore.AspNet.Specification.Tests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-ff4q-64jc-gx98 C:\src\dotnet\efcore\test\EFCore.AspNet.Specification.Tests\EFCore.AspNet.Specification.Tests.csproj : error NU1902: Warning As Error: Package 'Microsoft.IdentityModel.JsonWebTokens' 5.6.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 C:\src\dotnet\efcore\test\EFCore.AspNet.Specification.Tests\EFCore.AspNet.Specification.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.AspNet.Specification.Tests\EFCore.AspNet.Specification.Tests.csproj : error NU1902: Warning As Error: Package 'System.IdentityModel.Tokens.Jwt' 5.6.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 C:\src\dotnet\efcore\test\EFCore.AspNet.Specification.Tests\EFCore.AspNet.Specification.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\src\EFCore.Cosmos\EFCore.Cosmos.csproj : error NU1903: Warning As Error: Package 'Newtonsoft.Json' 10.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr C:\src\dotnet\efcore\src\EFCore.Cosmos\EFCore.Cosmos.csproj : error NU1903: Warning As Error: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57 C:\src\dotnet\efcore\src\EFCore.Cosmos\EFCore.Cosmos.csproj : error NU1903: Warning As Error: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj C:\src\dotnet\efcore\test\EFCore.Cosmos.FunctionalTests\EFCore.Cosmos.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.CrossStore.FunctionalTests\EFCore.CrossStore.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.CrossStore.FunctionalTests\EFCore.CrossStore.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.AspNet.SqlServer.FunctionalTests\EFCore.AspNet.SqlServer.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-55p7-v223-x366 C:\src\dotnet\efcore\test\EFCore.AspNet.SqlServer.FunctionalTests\EFCore.AspNet.SqlServer.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-ff4q-64jc-gx98 C:\src\dotnet\efcore\test\EFCore.AspNet.SqlServer.FunctionalTests\EFCore.AspNet.SqlServer.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.AspNet.SqlServer.FunctionalTests\EFCore.AspNet.SqlServer.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Design.Tests\EFCore.Design.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Design.Tests\EFCore.Design.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Cosmos.Tests\EFCore.Cosmos.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Sqlite.Tests\EFCore.Sqlite.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Sqlite.Tests\EFCore.Sqlite.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.AspNet.Sqlite.FunctionalTests\EFCore.AspNet.Sqlite.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-55p7-v223-x366 C:\src\dotnet\efcore\test\EFCore.AspNet.Sqlite.FunctionalTests\EFCore.AspNet.Sqlite.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'IdentityServer4' 4.1.2 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-ff4q-64jc-gx98 C:\src\dotnet\efcore\test\EFCore.AspNet.Sqlite.FunctionalTests\EFCore.AspNet.Sqlite.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'Microsoft.IdentityModel.JsonWebTokens' 5.6.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 C:\src\dotnet\efcore\test\EFCore.AspNet.Sqlite.FunctionalTests\EFCore.AspNet.Sqlite.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.AspNet.Sqlite.FunctionalTests\EFCore.AspNet.Sqlite.FunctionalTests.csproj : error NU1902: Warning As Error: Package 'System.IdentityModel.Tokens.Jwt' 5.6.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-59j7-ghrg-fj52 C:\src\dotnet\efcore\test\EFCore.AspNet.Sqlite.FunctionalTests\EFCore.AspNet.Sqlite.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Sqlite.FunctionalTests\EFCore.Sqlite.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Sqlite.FunctionalTests\EFCore.Sqlite.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Analyzers.Tests\EFCore.Analyzers.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.Analyzers.Tests\EFCore.Analyzers.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 5.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Analyzers.Tests\EFCore.Analyzers.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Tests\EFCore.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.Tests\EFCore.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.SqlServer.Tests\EFCore.SqlServer.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.SqlServer.Tests\EFCore.SqlServer.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Specification.Tests\EFCore.Specification.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.Specification.Tests\EFCore.Specification.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Relational.Tests\EFCore.Relational.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Relational.Tests\EFCore.Relational.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.InMemory.Tests\EFCore.InMemory.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.InMemory.Tests\EFCore.InMemory.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.OData.FunctionalTests\EFCore.OData.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.OData.FunctionalTests\EFCore.OData.FunctionalTests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\src\EFCore.Tasks\EFCore.Tasks.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Relational.Specification.Tests\EFCore.Relational.Specification.Tests.csproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 7.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm C:\src\dotnet\efcore\test\EFCore.Relational.Specification.Tests\EFCore.Relational.Specification.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\test\EFCore.Proxies.Tests\EFCore.Proxies.Tests.csproj : error NU1904: Warning As Error: Package 'System.Drawing.Common' 4.7.0 has a known critical severity vulnerability, https://github.com/advisories/GHSA-rxg9-xrhp-64gj C:\src\dotnet\efcore\test\EFCore.Proxies.Tests\EFCore.Proxies.Tests.csproj : error NU1903: Warning As Error: Package 'System.Text.Json' 7.0.3 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w C:\src\dotnet\efcore\src\ef\ef.csproj : error NU1903: Warning As Error: Package 'Microsoft.NETCore.App' 2.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7mfr-774f-w5r9 ```

The first one you already fixed in 9.0 with #34636

For the others we can work through them - they'll probably have some common solutions. For things you can't solve we can suppress at the reference site with an exclusion: https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages#excluding-advisories

@ericstj
Copy link
Member

ericstj commented Sep 12, 2024

I was able to address all the advisories here, have a look at https://github.com/dotnet/efcore/compare/NuGetAudit...ericstj-NuGetAudit?expand=1

I suppressed EF.csproj one, since it's explicitly targeting netcoreapp2.0 and I don't know why. Seems you could retarget to a newer framework since it's an app, but I'm sure about the use case.

One case that was problematic was IdentityServer4 -> all versions are vulnerable and the owner redirects to https://www.nuget.org/packages/Duende.IdentityServer.EntityFramework which will fix all the advisories but requires a license fee for production software.

Instead of switching to that I made the updates to the tests to fix as much as possible and suppress that which we can't fix.

@AndriySvyryd
Copy link
Member Author

AndriySvyryd commented Sep 12, 2024
edited
Loading

@ericstj Thanks. I incorporated your changes into #34666

@AndriySvyryd AndriySvyryd merged commit d01625b into main Sep 16, 2024
7 checks passed
@AndriySvyryd AndriySvyryd deleted the NuGetAudit branch September 16, 2024 17:24
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SamMonoRT SamMonoRT SamMonoRT approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AndriySvyryd @ericstj @SamMonoRT