Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update nuget packages #88

Merged
merged 2 commits into from
Aug 29, 2022
Merged

Update nuget packages #88

merged 2 commits into from
Aug 29, 2022

Conversation

Yury-Fridlyand
Copy link
Collaborator

@Yury-Fridlyand Yury-Fridlyand commented Aug 26, 2022
edited
Loading

Signed-off-by: Yury-Fridlyand yuryf@bitquilltech.com

Description

Abstractions are taken from opensearch-project/opensearch-net-abstractions#19

Direct System.Net.Http dependencies were updated in scope of opensearch-project/opensearch-net-abstractions#15. Dependencies listed below are indirect dependencies -- dependencies of the dependencies, dependencies of the dependencies of the dependencies and so on.

I have to add extra dependency for Microsoft.NET.Test.Sdk because xunit was updated, see more.

Issues Resolved

Title Vulnerability Module Version Severity
Improper Neutralization, .NET Core Remote Code Execution Vulnerability CVE-2021-26701 GHSA-ghhp-997w-qr28 GSD-2021-26701 System.Text.Encodings.Web 4.6.0 Critical
Improper Neutralization, .NET Core Remote Code Execution Vulnerability CVE-2021-26701 GHSA-ghhp-997w-qr28 GSD-2021-26701 System.Text.Encodings.Web 4.5.0 Critical
Improper Certificate Validation, Security Feature Bypass CVE-2017-0248 GHSA-ch6p-4jcm-h8vh GSD-2017-0248 System.Net.Http 4.3.1 High
Improper Input Validation, Elevation of Privilege CVE-2017-0249 GHSA-qhqf-ghgh-x2m4 GSD-2017-0249 System.Net.Http 4.3.1 High
Improper Input Validation, Denial of Service CVE-2017-0247 GHSA-6xh7-4v2w-36q6 GSD-2017-0247 System.Net.Http 4.3.1 High
Exposure of Sensitive Information to an Unauthorized Actor, .NET Core Internals CVE-2018-8292 GHSA-7jgj-8wvc-jh57 GSD-2018-8292 System.Net.Http 4.3.1 High
Spoofing, vulnerability affects Microsoft.AspNetCore.Mvc CVE-2017-0256 GHSA-j8f4-2w4p-mhjc GSD-2017-0256 System.Net.Http 4.3.1 Moderate
Uncontrolled Resource Consumption, Regular Expression Denial of Service CVE-2019-0820 GHSA-cmhx-cq75-c4mj GSD-2019-0820 System.Text.RegularExpressions 4.3.0 High

Combining this PR and opensearch-project/opensearch-net-abstractions#19 .Net client are cleaned of the listed vulnerable package except the last one.
The dependency chain:
Tests.ScratchPad - BenchMarkDotNet v.0.13.1 - Microsoft.CodeAnalysis.CSharp v.2.10.0 - Microsoft.CodeAnalysis.Common v.2.10.0 - System.Xml.ReaderWriter v.4.3.0 - System.Text.RegularExpressions v.4.3.0

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@Yury-Fridlyand
Update packages.
db592dc 
Signed-off-by: Yury-Fridlyand <yuryf@bitquilltech.com>
@Yury-Fridlyand
Cleanup - removing stale dependencies.
c8247b0 
Signed-off-by: Yury-Fridlyand <yuryf@bitquilltech.com>
@Yury-Fridlyand Yury-Fridlyand requested a review from a team as a code owner August 26, 2022 00:24
This was referenced Aug 26, 2022
Merged
Closed
@MaxKsyunz
Copy link
Collaborator

Combining this PR and opensearch-project/opensearch-net-abstractions#19 .Net client are cleaned of the listed vulnerable package except the last one. The dependency chain: Tests.ScratchPad - BenchMarkDotNet v.0.13.1 - Microsoft.CodeAnalysis.CSharp v.2.10.0 - Microsoft.CodeAnalysis.Common v.2.10.0 - System.Xml.ReaderWriter v.4.3.0 - System.Text.RegularExpressions v.4.3.0

This CVE will not affect end users. Tests.ScratchPad is not part of the client library and is not published.

@joshuali925 joshuali925 mentioned this pull request Aug 29, 2022
Closed
@MaxKsyunz
Copy link
Collaborator

@dblock thank you for merging CVE PR on abstractions repo!

Would you have a moment to look at this one as well?

dblock
dblock approved these changes Aug 29, 2022
View reviewed changes
Copy link
Member

@dblock dblock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YOLO

@dblock dblock merged commit 6a3687b into opensearch-project:main Aug 29, 2022
Yury-Fridlyand added a commit to Bit-Quill/opensearch-net that referenced this pull request Aug 29, 2022
@Yury-Fridlyand
Add OpenSearch 2.0 support to .Net client.
234b745 
* Update nuget packages (opensearch-project#88)
* Cleanup - removing stale dependencies.
* Fix 2 typos in scripts project
* Update `scripts` project file to include all relevant objects.
* Rename `master` node role to `cluster_manager` as it was done in OpenSearch.
    Ref: opensearch-project/OpenSearch#2480
* Remove validation for indices segments stats.
    `OpenSearch` 2.0 uses newer version of `Lucene` (9.0) which doesn't provide segments stats info.
    Ref: opensearch-project/OpenSearch#2029 opensearch-project/OpenSearch#1109
    See also history for `server/src/main/java/org/opensearch/index/engine/SegmentsStats.java` in `OpenSearch` repo.
* Remove tests for `_type` validation in mapping APIs as it was removed from `OpenSearch`.
    Ref: opensearch-project/OpenSearch#2238 opensearch-project/OpenSearch#2480
* Remove usage of deprecated `search.remote` settings.
    Ref: opensearch-project/OpenSearch#1870
* Update abstractions package - patch to support OpenSearch 2.0. Update integration workflow to run tests on OpenSearch 2.0.
* Rename `master_timeout` to `cluster_manager_timeout` in all APIs where it is used.
* Enrich comments to already renamed `CatMaster`/`CatClusterManager` API.
* Rename in `/_cluster/stats`/`cluster.stats` and `/_cluster/state`/`cluster.state`.
* Add deprecation info.
* Rename in comments.
* Rename in test data.
* Renamings in tests including `MasterEligible`, but mark it is obsolete.
* Rename branch reference in scripting.
* Mark `indices.exists_type`/`TypeExists` APIs as deprecated.
* Update compatibility matrix and include it into `sln` file.
* Add deprecation notice to all reference of `include_type_name`/`IncludeTypeName`.
* Update compatibility matrix.
* Remove `OpenDistro` compatibility notice.
* Update repo link.
* Add small README for each project being released.
* Address PR opensearch-project#51 feedback.

Signed-off-by: Yury-Fridlyand <yuryf@bitquilltech.com>
@Yury-Fridlyand Yury-Fridlyand deleted the dev-update-nuget-packages branch August 29, 2022 22:35
wbeckler pushed a commit that referenced this pull request Aug 31, 2022
@Yury-Fridlyand
Add OpenSearch 2.0 support to .Net client. (#51)
835c266 
* Update nuget packages (#88)
* Cleanup - removing stale dependencies.
* Fix 2 typos in scripts project
* Update `scripts` project file to include all relevant objects.
* Rename `master` node role to `cluster_manager` as it was done in OpenSearch.
    Ref: opensearch-project/OpenSearch#2480
* Remove validation for indices segments stats.
    `OpenSearch` 2.0 uses newer version of `Lucene` (9.0) which doesn't provide segments stats info.
    Ref: opensearch-project/OpenSearch#2029 opensearch-project/OpenSearch#1109
    See also history for `server/src/main/java/org/opensearch/index/engine/SegmentsStats.java` in `OpenSearch` repo.
* Remove tests for `_type` validation in mapping APIs as it was removed from `OpenSearch`.
    Ref: opensearch-project/OpenSearch#2238 opensearch-project/OpenSearch#2480
* Remove usage of deprecated `search.remote` settings.
    Ref: opensearch-project/OpenSearch#1870
* Update abstractions package - patch to support OpenSearch 2.0. Update integration workflow to run tests on OpenSearch 2.0.
* Rename `master_timeout` to `cluster_manager_timeout` in all APIs where it is used.
* Enrich comments to already renamed `CatMaster`/`CatClusterManager` API.
* Rename in `/_cluster/stats`/`cluster.stats` and `/_cluster/state`/`cluster.state`.
* Add deprecation info.
* Rename in comments.
* Rename in test data.
* Renamings in tests including `MasterEligible`, but mark it is obsolete.
* Rename branch reference in scripting.
* Mark `indices.exists_type`/`TypeExists` APIs as deprecated.
* Update compatibility matrix and include it into `sln` file.
* Add deprecation notice to all reference of `include_type_name`/`IncludeTypeName`.
* Update compatibility matrix.
* Remove `OpenDistro` compatibility notice.
* Update repo link.
* Add small README for each project being released.
* Address PR #51 feedback.

Signed-off-by: Yury-Fridlyand <yuryf@bitquilltech.com>

Signed-off-by: Yury-Fridlyand <yuryf@bitquilltech.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaxKsyunz MaxKsyunz MaxKsyunz approved these changes

@joshuali925 joshuali925 joshuali925 approved these changes

@dblock dblock dblock approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Yury-Fridlyand @MaxKsyunz @dblock @joshuali925