Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Transitive CVE in System.Runtime.Caching #2908

Closed
SimonCropp opened this issue Oct 9, 2024 · 9 comments · Fixed by #2921
Closed

Transitive CVE in System.Runtime.Caching #2908

SimonCropp opened this issue Oct 9, 2024 · 9 comments · Fixed by #2921
Labels
🚑 Hotfix Candidate Issues/PRs that are candidate for backporting to earlier supported versions.

Comments

@SimonCropp
Copy link
Contributor

can you update to 8.0.1 and release a new nuget
@Xyloto91
Copy link

Xyloto91 commented Oct 10, 2024
edited
Loading

Have same issue due to Trivy vulnerability scan, pls update this so we don't need to update transitive dependency.

@jaskaransinghdr6j
Copy link

+1 being flagged by Anchore and other GH feeds

@cheenamalhotra cheenamalhotra added 🆕 Triage Needed For new issues, not triaged yet. 🚑 Hotfix Candidate Issues/PRs that are candidate for backporting to earlier supported versions. labels Oct 11, 2024
@roji roji mentioned this issue Oct 14, 2024
Closed
@mungojam
Copy link

mungojam commented Oct 16, 2024
edited
Loading

It seems like in general if the Microsoft.Data.SqlClient package were updated to use v8.x rather than v6.x of various dependencies, all this noise would go away as the sub-dependencies like Microsoft.IdentityModel.Protocols.OpenIdConnect have been updated so that they just rely on the .net core provided versions instead.

The current tree looks like this (for a different vulnerability)

               └─ Microsoft.Data.SqlClient (v5.2.2)
                  ├─ Azure.Identity (v1.12.0)
                  │  └─ Azure.Core (v1.40.0)
                  │     ├─ System.ClientModel (v1.0.0)
                  │     │  └─ System.Memory.Data (v1.0.2)
                  │     │     └─ System.Text.Encodings.Web (v4.7.2)
                  │     ├─ System.Memory.Data (v1.0.2)
                  │     │  └─ System.Text.Encodings.Web (v4.7.2)
                  │     └─ System.Text.Encodings.Web (v4.7.2)
                  ├─ Microsoft.IdentityModel.JsonWebTokens (v6.35.0)
                  │  └─ System.Text.Encodings.Web (v4.7.2)
                  └─ Microsoft.IdentityModel.Protocols.OpenIdConnect (v6.35.0)
                     └─ System.IdentityModel.Tokens.Jwt (v6.35.0)
                        └─ Microsoft.IdentityModel.JsonWebTokens (v6.35.0)
                           └─ System.Text.Encodings.Web (v4.7.2)

@weldevops
Copy link

We use this package in our most widely used library and functionally every one of our services is screaming about vulnerabilities.

Is there a rough estimate when the updates might be released or should we override this dependency so long as it may be a while?

Can we assist with the patching at all?

@roji
Copy link
Member

roji commented Oct 17, 2024

Everyone, you can take a direct dependency on System.Runtime.Caching 8.0.1 from your project; there's no need to wait until SqlClient releases.

@cheenamalhotra cheenamalhotra linked a pull request Oct 22, 2024 that will close this issue
Update dependencies #2921
Merged
@benrr101
Copy link
Contributor

It looks like we updated the dependency was updated in v6, but will need to be backported to previous, supported releases.

@ErikEJ
Copy link
Contributor

ErikEJ commented Oct 29, 2024

@benrr101 Is there an issue to Backport to current releases?

@ErikEJ
Copy link
Contributor

ErikEJ commented Oct 29, 2024

@benrr101 Sorry, just saw you created one 😄

@David-Engel David-Engel removed the 🆕 Triage Needed For new issues, not triaged yet. label Oct 29, 2024
@David-Engel
Copy link
Contributor

Backport tracking issue: #2935

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🚑 Hotfix Candidate Issues/PRs that are candidate for backporting to earlier supported versions.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update dependencies cheenamalhotra/SqlClient
10 participants
@SimonCropp @benrr101 @roji @mungojam @ErikEJ @cheenamalhotra @Xyloto91 @David-Engel @jaskaransinghdr6j @weldevops