Vulnerabilities #544
Comments
|
Which vulnerability do you mean exactly? SqlClient 5.1.5 is not marked as vulnerable on NuGet. |
|
Piggybacking on this issue to report two new vulnerabilities reported by VS today: Azure.Identity 1.1.3 and Microsoft.Identity.Client 4.60.3 are showing up as vulnerable dependencies of Microsoft.Data.SqlClient 5.2.1, which is a dependency of version 6.6.1 of this package.
|
|
Thank you for reporting this. I made a scan today using After updating Microsoft.Data.SqlClient from 5.1.5 to the latest version 5.2.1, it came down to only the one vulnerability which was reported by @MaddMugsy: GHSA-m5vv-6r4h-3vj9. It seems that the SqlClient have already merged a PR which fixes the remaining vulnerability (dotnet/SqlClient#2577) on 23rd of June but they have not yet created a new 5.x release. So we will have to wait for that. In the meantime, to increase the security posture of SQLServer sink, I will create a release with the SqlClient udated to 5.2.1 so we get rid of the high severity and other vulnerability and only GHSA-m5vv-6r4h-3vj9 is remaining. This we will fix as soon as SqlClient makes a new release. |
Updated Microsoft.Data.SqlClient to fix some of the vulnerabilities referenced in serilog-mssql#544.
@ckadluba FYI, this will also be fixed in SqlClient version 5.1.6, see dotnet/SqlClient#2649 SqlClient 5.1.x has LTS support, while 5.2x only has "current" support. See https://learn.microsoft.com/en-us/sql/connect/ado-net/sqlclient-driver-support-lifecycle |
|
Thanks for mentioning this. Then probably we should switch back to a 5.1 version as soon as there is a fix. |
Activated NuGet audit as documented here by adding a global Directory.Build.props: https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/. The audit breaks the build on high and critical severity vulnerabilities in direct and transitive dependencies. Related issue: serilog-mssql#544
Fixed vulnerabilites reported by NuGet audit in System.Net.Http and System.Text.RegularExpressions by removing any references to System.* version 4.* packages as recommended here: https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/#system-net-http-and-system-text-regularexpressions Related issue: serilog-mssql#544
* Rather have 5.1 than 5.2 because 5.1 is LTS * Fixes issue serilog-mssql#544 (partly) and issue serilog-mssql#552
* Fixed vulnerability by updating xunit to 2.9.0. * Fixed new warnings in test code. Related issue: serilog-mssql#544 Related Work Items: #5
Fixed vulnerability by directly referencing transitive dependency System.Private.Uri (GHSA-xhfc-gr8f-ffwc) Related issue: serilog-mssql#544
Fixed vulnerability by directly referencing transitive dependency System.Formats.Asn1 (GHSA-447r-wph3-92pm) Related issue: serilog-mssql#544
…ystem.Formats.Asn1 (GHSA-447r-wph3-92pm, issue serilog-mssql#544) * Fixed vulnerability by directly referencing transitive dependency System.Private.Uri (GHSA-xhfc-gr8f-ffwc, issue serilog-mssql#544)
… and transitive dependencies for all projects (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/) Related issue: serilog-mssql#544
|
Added NuGet audit and fixed different vulnerabilities by updating any affected dependencies. We created a dev release with the changed. https://www.nuget.org/packages/Serilog.Sinks.MSSqlServer/6.7.1-dev-00084 Please try it out and give us some feedback. Thank you! :) |
|
I'm not so sure that directly referencing indirect dependencies is a good idea, even if the indirect dependency has a security vulnerability. This leads to a situation where it looks like this package has more direct dependencies than it really has. And to more maintenance work. Concrete example: Hypothetical example for future maintenance work: Ideally, the direct dependency should update their dependency and then just the direct dependency should be updated here. But of course that requries work from other teams. End users can alway update indirect dependencies themselves, e.g with transitive pinning in central package management. |
|
@cremor I see your point and agree to some degree. Pulling a transient dependency into the sink project to fix a vulnerability isn't quite elegant. Especially since it could easily be forgotten to be removed again once the package where it is referenced originally gets updated and we no longer need the reference. By the way, the example with Azure.Identity in SqlClient is a very interesting pick when it comes to the MSSQL sink because the sink can also be used for logging to Azure SQL. This means, if they restructure SqlClient and remove Azure.Identity from the their core package, we still need to add the SqlClient.Azure (or whatever it will be called) package because otherwise things like managed identity authentication will not work anymore with the sink. |
Ok, that's fine for me. I just wanted to mention it.
Do you actually need classes from Azure.Identity at compile time? If not, I think you should not reference it in the future. I think you should then take the same approach that Microsoft.Data.SqlClient seems to follow now, which is to throw at runtime if Microsoft.Data.SqlClient.Azure.Authentication (or however it will be called) is not available. Otherwise you'll do the same that Microsoft.Data.SqlClient does now, which is forcing a Azure dependency (with possible security vulnerabilities) to all of your users, even if they don't use Azure. Finally, could you please explain why you now need to reference System.Private.Uri? This dependency wasn't installed in my project with Serilog.Sinks.MSSqlServer 6.6.1 or 6.7.0, so it is new in 6.7.1. How could there have been a security vulnerability for it, if it wasn't even used before? Maybe it is only referenced in some target frameworks, but not in .NET 8? |
This was the warning I got mentioning
In the NuGet UI it did not appear as a transitive, so I suppose your assumption is correct and it is referenced by the frameworks.
Possibly the advisories can help us to locate the source of that dependency. |
|
Yes, it seems to be only an SDK issue. dotnet/announcements#113. A quite old one even. I'll check and update it on my machine. It that removes the warning, we can remove the System.Private.Uri dependency again in the next release. |
|
I get the same behavior on a different machine with latest VS 2022 Preview (17.12.0 Preview 1) and .NET SDK 9.0.100-preview.7.24407.12. When I remove the reference to System.Private.Uri from the sink project, the warnings about the two vulnerabilities occur. I will leave the reference in and we will watch how this behaves with the next SDK updates. |
|
Yeah, this looks like a false positive. Here is a similar issue where it's mentioned that this will not be fixed in .NET 9 😞 It looks like all reports of this issue are closed as duplicates of NuGet/Home#7344 |
|
Thanks for the research. If this affects lots of users giving a false postive about a high severity vulnerability, I hope there will be fix anytime soon. |
Serilog.Sinks.MSSqlServer
Library Vulnerabilities (1)
Severity: Medium
Top Fix: Upgrade to version microsoft.data.sqlclient 5.2.1
The text was updated successfully, but these errors were encountered: