Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft.Azure.Cosmos references many out of support and vulnerable package versions. #4674

Closed
6 tasks done
ericstj opened this issue Sep 11, 2024 · 8 comments · Fixed by #4839
Closed
6 tasks done
Assignees

Comments

@ericstj
Copy link

ericstj commented Sep 11, 2024

Describe the bug
Microsoft.Azure.Cosmos references many packages which are out of support and vulnerable.

To Reproduce
Create a new project with the latest .NET 9.0 preview SDK which includes NuGet audit for security vulnerabilities. Add a reference to <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.43.0"/> and restore the project.

Expected behavior
No warnings when restoring.

Actual behavior
The following warnings occur:

    C:\scratch\azureCosmos\azureCosmos.csproj : warning NU1903: Package 'Newtonsoft.Json' 10.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr
    C:\scratch\azureCosmos\azureCosmos.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
    C:\scratch\azureCosmos\azureCosmos.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj

Environment summary
SDK Version: 3.43.0
.NET SDK: 9.0.0-preview.7.24405.7
OS Version: Windows 11 23H2

Additional context
See https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages
https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/

@Pilchie
Copy link
Member

Pilchie commented Sep 11, 2024

We cannot update the dependency on Newtonsoft.Json, because there are no patched versions without breaking changes, and we can't force that breaking change on our customers :(

For System.Net.Http and System.Text.RegularExpressions, we should investigate the path they are coming in through and either update an intermediate dependency, or consider pinning to a higher version.

Tagging also @kirankumarkolli and @kundadebdatta.

@kirankumarkolli
Copy link
Member

'System.Text.RegularExpressions' seems like a transitive dependency through 'Newtonsoft.Json'
Unsure of source of System.Net.Http dependency (we do use HttpClient but not explicitly listed in package spec.

'Newtonsoft.Json' 10.0.2 vulnerability is address through a code fix, unfortunately upgrading to the suggested version is a breaking change.

Except 'Newtonsoft.Json' we can at-least fix others as new dependencies directly to override.

@ericstj thoughts on how to way to let analyzer to suppress for Newtonsoft.Json?

@ericstj
Copy link
Author

ericstj commented Sep 12, 2024

You can update the other dependencies, NETStandard.Library and System.Text.RegularExpressions. (Try out dotnet nuget why for diagnosing these and read https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/ cc @zivkan)

FWIW many of your customers are going to be in this same predicament since they'll see this vulnerability warning for Newtonsoft. Don't you have a major version where you can choose to update Newtonsoft? Also - have you reached out to @JamesNK to see if he'd be able to produce a 10.0.4 build that has a fix for the CVE without other breaking changes?

@kirankumarkolli
Copy link
Member

Thank you other dependencies are addressed will ship part of next release.

Our next major version will remove dependency on Newstonsoft and just use STJ as default serializer.
Will follow-up with James.

@ericstj
Copy link
Author

ericstj commented Sep 13, 2024

STJ is going to have the same problem if you stay on older versions of it: dotnet/runtime#104619

@bartelink
Copy link
Contributor

I believe the STJ in here is inherited via Azure.Core, which currently is a 6.x min (which is not on the official list of versions covered by that cited issue? (Of course your overall point is not necessarily invalidated by that)

microsoft-github-policy-service bot pushed a commit that referenced this issue Sep 20, 2024
…s) and also warnings (#4693)

[INTERNAL] Samples: Fixes upgrades to latest versions (vulnerabilities)
and also warnings

For Cosmos pinned to latest versions
```
    <PackageReference Include="Microsoft.Azure.Cosmos" Version="3.43.0" />
```

Newtonsoft.Json and System.Text.Json: updated to patched versions
```
    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
    <PackageReference Include="System.Text.Json" Version="8.0.4" />
```

Microsoft.NET.Sdk.Functions: Upgraded to latest 
```
    <PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.4.1" />
```

Removed transitive dependencies: Configuration and
Configuration.FileExtensions
```    
    <PackageReference Include="Microsoft.Extensions.Configuration" Version="2.2.0" />
    <PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="2.2.0" />
```

ChangeFeed project: Its a migration project which has V2 CFP project
reference which has vulnerabile dependencies, which are now pinned
explicitly to patched version
```
    <PackageReference Include="System.Net.Http" Version="4.3.4" />
    <PackageReference Include="System.Net.Security" Version="4.3.2" />
```

Ref: #4674
@aavasthy aavasthy self-assigned this Oct 7, 2024
@aavasthy aavasthy moved this to In Progress in Azure Cosmos SDKs Oct 7, 2024
@kirankumarkolli kirankumarkolli moved this from In Progress to Approved in Azure Cosmos SDKs Oct 19, 2024
@aavasthy aavasthy moved this from Approved to In Progress in Azure Cosmos SDKs Nov 5, 2024
@github-project-automation github-project-automation bot moved this from In Progress to Done in Azure Cosmos SDKs Nov 13, 2024
@AIZ-THerring
Copy link

Our next major version will remove dependency on Newstonsoft and just use STJ as default serializer. Will follow-up with James.

Is this ever going to actually get fixed? I've been waiting on this for years.

The 3.46.0 change only makes things worse. Now I have to have a direct dependency on Newtonsoft and can no longer justify it as an indirect reference through the Cosmos package.

@ChuckM90
Copy link

I agree with @AIZ-THerring. IMHO Nuget Microsoft packages have to migrate to STJ if they use Newtonsoft. It may be a long step but it is necessary to avoid depending on third party packages that do the same thing as a proprietary package.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Done
7 participants