Transitive reference to vulnerable packages #2294
Comments
|
@flacidsnake This will be fixed in 5.2 preview 5 and 5.1.vNext as I understand it - in the meantime you can add explicit references |
Thanks for your answer. Unfortunately, updating those packages explicitly in my Azure Function results in Error 500. |
|
@flacidsnake Error 500 is an http error, and not relevant in this context, you need to check your logs for the exact error and stack trace if you want help here. |
|
This has been addressed on #2290 and will be shipped with the next hotfix to 5.1. |
1 task
abhishekkumams
pushed a commit
to Azure/data-api-builder
that referenced
this issue
Jan 15, 2024
## Why make this change? - Updates dependencies `SqlClient` and `Microsoft.AspNetCore.Authentication.JwtBearer` - Explicitly set version of and include transitive dependencies: `System.IdentityModel.Tokens.Jwt` and `Microsoft.IdentityModel.JsonWebTokens` - Suppress NU1603 when resolving dependencies from NuGet feed to prevent pipeline failures. - Allows pipeline to pull compatible dependency version from private feed even when dependency is not the exact lower bounded version. DAB project treats warnings as errors and in this case, NU1603 is emitted and should be ignored. - Background on issue: NuGet/Home#5764 Even though our feed may have version `6.10.1` of the relevant package which meets the expectations of `>=6.10.0`, NuGet is expects and considers the "ideal" match to be `6.10.0` because that is what the package was built and tested against. Newer versions may or may not work and allows build systems to be consistent (per linked NuGet issue thread). > ##[error]Core.csproj(0,0): Error NU1603: Microsoft.IdentityModel.Protocols 6.10.0 depends on Microsoft.IdentityModel.Tokens (>= 6.10.0) > but Microsoft.IdentityModel.Tokens 6.10.0 was not found. > An approximate best match of Microsoft.IdentityModel.Tokens 6.10.1 was resolved. ## What is this change? - Suppress `NU1603` warning in all csproj files. - Updates SqlClient dependency to version `5.1.4`. - Updates Microsoft.AspNetCore.Authentication.JwtBearer to version `6.0.26` - Updates System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens to `6.35.0` explicitly even though transitive dependencies because latest SqlClient 5.1.4 references vulnerable 6.24.0 versions. Known issue in sqlclient dotnet/SqlClient#2294 and workaround is to explicitly define the dependencies/needed version. ## How was this tested? - [x] integration test: privately running the pipeline resolves expected dependencies without error. --------- Co-authored-by: neeraj-sharma2592 <neeraj.sharma2592@gmail.com>
seantleonard
added a commit
to Azure/data-api-builder
that referenced
this issue
Jan 30, 2024
## Why make this change? - Updates dependencies `SqlClient` and `Microsoft.AspNetCore.Authentication.JwtBearer` - Explicitly set version of and include transitive dependencies: `System.IdentityModel.Tokens.Jwt` and `Microsoft.IdentityModel.JsonWebTokens` - Suppress NU1603 when resolving dependencies from NuGet feed to prevent pipeline failures. - Allows pipeline to pull compatible dependency version from private feed even when dependency is not the exact lower bounded version. DAB project treats warnings as errors and in this case, NU1603 is emitted and should be ignored. - Background on issue: NuGet/Home#5764 Even though our feed may have version `6.10.1` of the relevant package which meets the expectations of `>=6.10.0`, NuGet is expects and considers the "ideal" match to be `6.10.0` because that is what the package was built and tested against. Newer versions may or may not work and allows build systems to be consistent (per linked NuGet issue thread). > ##[error]Core.csproj(0,0): Error NU1603: Microsoft.IdentityModel.Protocols 6.10.0 depends on Microsoft.IdentityModel.Tokens (>= 6.10.0) > but Microsoft.IdentityModel.Tokens 6.10.0 was not found. > An approximate best match of Microsoft.IdentityModel.Tokens 6.10.1 was resolved. ## What is this change? - Suppress `NU1603` warning in all csproj files. - Updates SqlClient dependency to version `5.1.4`. - Updates Microsoft.AspNetCore.Authentication.JwtBearer to version `6.0.26` - Updates System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens to `6.35.0` explicitly even though transitive dependencies because latest SqlClient 5.1.4 references vulnerable 6.24.0 versions. Known issue in sqlclient dotnet/SqlClient#2294 and workaround is to explicitly define the dependencies/needed version. ## How was this tested? - [x] integration test: privately running the pipeline resolves expected dependencies without error. --------- Co-authored-by: neeraj-sharma2592 <neeraj.sharma2592@gmail.com>
@ErikEJ Just updated to the latest stable release, but the error remains. This is the error output:
The library is in the bin folder, but it won't load.. Seems to be a problem with Azure Functions. The workaround to fix this is to add The odd thing is that it works if using I'm using .net6.0 and Azure Functions v4. |
|
@flacidsnake I think you need to address this with Azur Functions support |
This was referenced Jan 30, 2024
seantleonard
added a commit
to Azure/data-api-builder
that referenced
this issue
Jan 30, 2024
## Why make this change? - Updates dependencies `SqlClient` and `Microsoft.AspNetCore.Authentication.JwtBearer` - Explicitly set version of and include transitive dependencies: `System.IdentityModel.Tokens.Jwt` and `Microsoft.IdentityModel.JsonWebTokens` - Suppress NU1603 when resolving dependencies from NuGet feed to prevent pipeline failures. - Allows pipeline to pull compatible dependency version from private feed even when dependency is not the exact lower bounded version. DAB project treats warnings as errors and in this case, NU1603 is emitted and should be ignored. - Background on issue: NuGet/Home#5764 Even though our feed may have version `6.10.1` of the relevant package which meets the expectations of `>=6.10.0`, NuGet is expects and considers the "ideal" match to be `6.10.0` because that is what the package was built and tested against. Newer versions may or may not work and allows build systems to be consistent (per linked NuGet issue thread). > ##[error]Core.csproj(0,0): Error NU1603: Microsoft.IdentityModel.Protocols 6.10.0 depends on Microsoft.IdentityModel.Tokens (>= 6.10.0) > but Microsoft.IdentityModel.Tokens 6.10.0 was not found. > An approximate best match of Microsoft.IdentityModel.Tokens 6.10.1 was resolved. ## What is this change? - Suppress `NU1603` warning in all csproj files. - Updates SqlClient dependency to version `5.1.4`. - Updates Microsoft.AspNetCore.Authentication.JwtBearer to version `6.0.26` - Updates System.IdentityModel.Tokens.Jwt and Microsoft.IdentityModel.JsonWebTokens to `6.35.0` explicitly even though transitive dependencies because latest SqlClient 5.1.4 references vulnerable 6.24.0 versions. Known issue in sqlclient dotnet/SqlClient#2294 and workaround is to explicitly define the dependencies/needed version. ## How was this tested? - [x] integration test: privately running the pipeline resolves expected dependencies without error. --------- Co-authored-by: neeraj-sharma2592 <neeraj.sharma2592@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Microsoft.Data.SqlClient 5.1.4 references vulnerable versions of Microsoft.IdentityModel.JsonWebTokens and System.IdentityModel.Tokens.Jwt
Vulnerabilities associated:
https://github.com/advisories/GHSA-8g9c-28fc-mcx2
https://github.com/advisories/GHSA-59j7-ghrg-fj52
The text was updated successfully, but these errors were encountered: