Update .NET libraries which have security problems in transitive dependencies #2967

Porges · 2023-04-04T21:42:47Z

The existing versions of these libraries have dependencies on packages with known vulnerabilities.

These can be listed via:

dotnet list package --include-transitive --vulnerable

Updating the ADO packages fixes the following:

Newtonsoft.Json (High) GHSA-5crp-9r3c-p9vr
System.Data.SqlClient (Moderate) GHSA-8g2p-5pqh-5jmc
System.Drawing.Common (Critical) GHSA-rxg9-xrhp-64gj

Updating the Identity packages fixes the following:

System.Security.Cryptography.Xml (Moderate) GHSA-2m65-m22p-9wjw

Updating the System.Text.RegularExpressions package fixed:

System.Text.RegularExpressions (High) GHSA-cmhx-cq75-c4mj

Updating the System.Net.Http package (in test project) fixed:

System.Net.Http (High) GHSA-7jgj-8wvc-jh57

codecov-commenter · 2023-04-04T21:50:05Z

Codecov Report

Merging #2967 (0ff6df6) into main (b8f0327) will not change coverage.
The diff coverage is 0.00%.

@@           Coverage Diff           @@
##             main    #2967   +/-   ##
=======================================
  Coverage   29.10%   29.10%           
=======================================
  Files         304      304           
  Lines       36337    36337           
=======================================
  Hits        10577    10577           
  Misses      25760    25760

Impacted Files	Coverage Δ
...Service/ApiService/onefuzzlib/notifications/Ado.cs	`0.00% <0.00%> (ø)`

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

Porges force-pushed the dotnet-vulnerabilities branch from edd8005 to cc7542c Compare April 4, 2023 21:43

Porges requested a review from tevoinea April 4, 2023 21:43

Porges force-pushed the dotnet-vulnerabilities branch from cc7542c to 0ff6df6 Compare April 4, 2023 21:44

chkeita approved these changes Apr 4, 2023

View reviewed changes

Porges changed the title ~~Update ADO libraries~~ Update .NET libraries Apr 4, 2023

Porges changed the title ~~Update .NET libraries~~ Update .NET libraries which have security problems in transitive dependencies Apr 4, 2023

Porges added 5 commits April 4, 2023 16:01

Add dependabot config for .NET (#2966)

96db6d4

Update ADO packages

4a81abd

Update Microsoft.Identity packages

e6e99d6

Update RegularExpressions and test project

c4ebe28

Fix new Xunit lints

e5f4f91

Porges enabled auto-merge (squash) April 5, 2023 00:59

Porges merged commit 7ea0901 into main Apr 5, 2023

Porges deleted the dotnet-vulnerabilities branch April 5, 2023 01:09

AdamL-Microsoft mentioned this pull request Apr 5, 2023

7.1.0 Release #2965

Closed

Porges mentioned this pull request Apr 10, 2023

Add support for Nuget lockfiles microsoft/component-detection#497

Open

AdamL-Microsoft mentioned this pull request Apr 11, 2023

Release 8.0.0 #3013

Merged

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update .NET libraries which have security problems in transitive dependencies #2967

Update .NET libraries which have security problems in transitive dependencies #2967

Porges commented Apr 4, 2023 •

edited

Loading

codecov-commenter commented Apr 4, 2023 •

edited

Loading

Update .NET libraries which have security problems in transitive dependencies #2967

Update .NET libraries which have security problems in transitive dependencies #2967

Conversation

Porges commented Apr 4, 2023 • edited Loading

codecov-commenter commented Apr 4, 2023 • edited Loading

Codecov Report

Porges commented Apr 4, 2023 •

edited

Loading

codecov-commenter commented Apr 4, 2023 •

edited

Loading