Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft.Azure.Cosmos references many out of support and vulnerable package versions. #4674

Closed
6 tasks done
ericstj opened this issue Sep 11, 2024 · 6 comments · Fixed by #4839
Closed
6 tasks done

Microsoft.Azure.Cosmos references many out of support and vulnerable package versions. #4674

ericstj opened this issue Sep 11, 2024 · 6 comments · Fixed by #4839
Assignees
@aavasthy
Labels
customer-reported Issue created by a customer needs-investigation Selenium

Comments

@ericstj
Copy link

ericstj commented Sep 11, 2024
edited by kirankumarkolli
Loading

Describe the bug
Microsoft.Azure.Cosmos references many packages which are out of support and vulnerable.

To Reproduce
Create a new project with the latest .NET 9.0 preview SDK which includes NuGet audit for security vulnerabilities. Add a reference to <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.43.0"/> and restore the project.

Expected behavior
No warnings when restoring.

Actual behavior
The following warnings occur:

    C:\scratch\azureCosmos\azureCosmos.csproj : warning NU1903: Package 'Newtonsoft.Json' 10.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr
    C:\scratch\azureCosmos\azureCosmos.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
    C:\scratch\azureCosmos\azureCosmos.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj

Environment summary
SDK Version: 3.43.0
.NET SDK: 9.0.0-preview.7.24405.7
OS Version: Windows 11 23H2

Additional context
See https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages
https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/

Tasks
Beta Give feedback
  1. [INTERNAL] FaultInjection: Fixes Newtonsoft and SystemTextJson to use latest versions #4790
  2. [INTERNAL]STJ: Fixes STJ to 8.0.5 as per dependa bot #4775
  3. [INTERNAL] Build: Fixes warnings in encryption project #4756
  4. [INTERNAL] Samples: Fixes upgrades to latest versions (vulnerabilities) and also warnings #4693
    auto-merge
  5. [INTERNAL] Changelog: Adds note about Newtonsoft.Json (10.0.3) security vulnerability and upgrade to latest patched version #4694
    auto-merge
  6. Dependencies: Fixes Pinning System.Net.Http and System.Text.RegularExpressions to latest patched versions #4676
    auto-merge
@microsoft-github-policy-service microsoft-github-policy-service bot added the customer-reported Issue created by a customer label Sep 11, 2024
@Pilchie
Copy link
Member

Pilchie commented Sep 11, 2024

We cannot update the dependency on Newtonsoft.Json, because there are no patched versions without breaking changes, and we can't force that breaking change on our customers :(

For System.Net.Http and System.Text.RegularExpressions, we should investigate the path they are coming in through and either update an intermediate dependency, or consider pinning to a higher version.

Tagging also @kirankumarkolli and @kundadebdatta.

@kirankumarkolli
Copy link
Member

'System.Text.RegularExpressions' seems like a transitive dependency through 'Newtonsoft.Json'
Unsure of source of System.Net.Http dependency (we do use HttpClient but not explicitly listed in package spec.

'Newtonsoft.Json' 10.0.2 vulnerability is address through a code fix, unfortunately upgrading to the suggested version is a breaking change.

Except 'Newtonsoft.Json' we can at-least fix others as new dependencies directly to override.

@ericstj thoughts on how to way to let analyzer to suppress for Newtonsoft.Json?

@kirankumarkolli kirankumarkolli pinned this issue Sep 11, 2024
@kirankumarkolli kirankumarkolli mentioned this issue Sep 11, 2024
Merged
1 task
@ericstj
Copy link
Author

ericstj commented Sep 12, 2024
edited
Loading

You can update the other dependencies, NETStandard.Library and System.Text.RegularExpressions. (Try out dotnet nuget why for diagnosing these and read https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/ cc @zivkan)

FWIW many of your customers are going to be in this same predicament since they'll see this vulnerability warning for Newtonsoft. Don't you have a major version where you can choose to update Newtonsoft? Also - have you reached out to @JamesNK to see if he'd be able to produce a 10.0.4 build that has a fix for the CVE without other breaking changes?

@ericstj ericstj mentioned this issue Sep 12, 2024
Merged
@kirankumarkolli
Copy link
Member

Thank you other dependencies are addressed will ship part of next release.

Our next major version will remove dependency on Newstonsoft and just use STJ as default serializer.
Will follow-up with James.

@ericstj
Copy link
Author

ericstj commented Sep 13, 2024

STJ is going to have the same problem if you stay on older versions of it: dotnet/runtime#104619

@bartelink
Copy link
Contributor

I believe the STJ in here is inherited via Azure.Core, which currently is a 6.x min (which is not on the official list of versions covered by that cited issue? (Of course your overall point is not necessarily invalidated by that)

This was referenced Sep 14, 2024
Merged
Merged
microsoft-github-policy-service bot pushed a commit that referenced this issue Sep 20, 2024
@kirankumarkolli
[INTERNAL] Samples: Fixes upgrades to latest versions (vulnerabilitie…
2cc12dc 
…s) and also warnings (#4693)

[INTERNAL] Samples: Fixes upgrades to latest versions (vulnerabilities)
and also warnings

For Cosmos pinned to latest versions
```
    <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.43.0" />
```

Newtonsoft.Json and System.Text.Json: updated to patched versions
```
    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
    <PackageReference Include="System.Text.Json" Version="8.0.4" />
```

Microsoft.NET.Sdk.Functions: Upgraded to latest 
```
    <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.4.1" />
```

Removed transitive dependencies: Configuration and
Configuration.FileExtensions
```    
    <PackageReference Include="Microsoft.Extensions.Configuration" Version="2.2.0" />
    <PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="2.2.0" />
```

ChangeFeed project: Its a migration project which has V2 CFP project
reference which has vulnerabile dependencies, which are now pinned
explicitly to patched version
```
    <PackageReference Include="System.Net.Http" Version="4.3.4" />
    <PackageReference Include="System.Net.Security" Version="4.3.2" />
```

Ref: #4674
@ericstj ericstj mentioned this issue Oct 3, 2024
Merged
@aavasthy aavasthy self-assigned this Oct 7, 2024
@aavasthy aavasthy moved this to In Progress in Azure Cosmos SDKs Oct 7, 2024
@aavasthy aavasthy mentioned this issue Oct 11, 2024
Closed
1 task
@kirankumarkolli kirankumarkolli moved this from In Progress to Approved in Azure Cosmos SDKs Oct 19, 2024
@aavasthy aavasthy mentioned this issue Oct 22, 2024
Merged
1 task
@aavasthy aavasthy moved this from Approved to In Progress in Azure Cosmos SDKs Nov 5, 2024
@github-project-automation github-project-automation bot moved this from In Progress to Done in Azure Cosmos SDKs Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aavasthy aavasthy

Labels
customer-reported Issue created by a customer needs-investigation Selenium
Projects
Azure Cosmos SDKs
Status: Done
Milestone
No milestone
5 participants
@bartelink @Pilchie @kirankumarkolli @ericstj @aavasthy