Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Infra] Amend pipeline to use newer NuGet version #1274

Open
duncanp-sonar opened this issue Jun 21, 2022 · 2 comments · May be fixed by #1275
Open

[Infra] Amend pipeline to use newer NuGet version #1274

duncanp-sonar opened this issue Jun 21, 2022 · 2 comments · May be fixed by #1275
Labels
Area: Infrastructure

Comments

@duncanp-sonar
Copy link
Contributor

Description

Microsoft recently announced a CVE that affects current versions of NuGet. Patched versions are available.

Although the scanner pipeline is using a vulnerable version of NuGet, it is not directly impacted by the CVE as we do not push/publish packages from the pipeline.

However, there are two small improvements we could make:

  1. stop using the affected version, since a patch is available, and
  2. change the pipeline to use a wildcard when referencing the NuGet version.

Regarding the second point, the pipeline is currently specifying a fixed three-part version for NuGet. If we used a two-part version with a wildcard, then the pipeline would automatically pick up security fixes without any additional work on our part.
duncanp-sonar added a commit that referenced this issue Jun 21, 2022
@duncanp-sonar
[Infra] Update NuGet version used in pipelines
98ad5e3 
Fixes #1274
@duncanp-sonar duncanp-sonar linked a pull request Jun 21, 2022 that will close this issue
Draft
@andrei-epure-sonarsource
Copy link
Contributor

Regarding the second point, the pipeline is currently specifying a fixed three-part version for NuGet. If we used a two-part version with a wildcard, then the pipeline would automatically pick up security fixes without any additional work on our part.

This should be safe in terms of dependency confusion because we filter based on authors.

@duncanp-sonar
Copy link
Contributor Author

duncanp-sonar commented Jun 28, 2022
edited by andrei-epure-sonarsource

This should be safe in terms of dependency confusion because we filter based on authors.

The filtering is done in the nuget.config file, isn't it? It looks like NuGetToolInstaller task doesn't look at the config file; it seems to be hard-coded to look at a specific URL to get the list of available versions. So it should be safe.

martin-strecker-sonarsource pushed a commit that referenced this issue Nov 7, 2023
@duncanp-sonar @martin-strecker-sonarsource
[Infra] Update NuGet version used in pipelines
605dee5 
Fixes #1274
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Infrastructure
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Infra] Update NuGet version used in pipelines SonarSource/sonar-scanner-msbuild
2 participants
@duncanp-sonar @andrei-epure-sonarsource