Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Internal] Fixes: System.Net.Http by bumping to pinned 4.3.4 reference #4853

Closed
wants to merge 5 commits into from
Closed

[Internal] Fixes: System.Net.Http by bumping to pinned 4.3.4 reference #4853

wants to merge 5 commits into from

Conversation

seesharprun
Copy link

I'm building the Microsoft.Azure.Cosmos library with .NET 9 which now shows warnings that your library has the following vulnerabilities in some projects (not all).

I'm not sure if this is an allowed update.

@seesharprun seesharprun marked this pull request as draft October 25, 2024 17:08
@seesharprun seesharprun changed the title Bump System.Net.Http to pinned 4.3.4 reference [Internal] Fixes: System.Net.Http by bumping to pinned 4.3.4 reference Oct 25, 2024
Pilchie
Pilchie reviewed Oct 25, 2024
View reviewed changes
Copy link
Member

@Pilchie Pilchie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kirankumarkolli - can you take a look at this?

Microsoft.Azure.Cosmos.Encryption.Custom/src/Microsoft.Azure.Cosmos.Encryption.Custom.csproj Outdated Show resolved Hide resolved
@seesharprun seesharprun marked this pull request as ready for review October 25, 2024 23:32
@kirankumarkolli
Copy link
Member

On lates master branch its building with just 'Newtonsoft.Json' warning (which we are currently working on fixing it).
@seesharprun are you still seeing issues on latest master?

e:\src\v31\Microsoft.Azure.Cosmos.Encryption\src>dotnet build
Restore succeeded with 1 warning(s) in 1.3s
    e:\src\v31\Microsoft.Azure.Cosmos.Encryption\src\Microsoft.Azure.Cosmos.Encryption.csproj : warning NU1903: Package 'Newtonsoft.Json' 10.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr
You are using a preview version of .NET. See: https://aka.ms/dotnet-support-policy
  Microsoft.Azure.Cosmos.Encryption succeeded with 2 warning(s) (4.0s) → bin\Debug\netstandard2.0\Microsoft.Azure.Cosmos.Encryption.dll
    e:\src\v31\Microsoft.Azure.Cosmos.Encryption\src\Microsoft.Azure.Cosmos.Encryption.csproj : warning NU1903: Package 'Newtonsoft.Json' 10.0.2 has a known high severity vulnerability, https://github.com/advisories/GHSA-5crp-9r3c-p9vr
    CSC : warning SA0001: XML comment analysis is disabled due to project configuration (https://github.com/DotNetAnalyzers/StyleCopAnalyzers/blob/master/documentation/SA0001.md)

Build succeeded with 3 warning(s) in 7.2s

e:\src\v31\Microsoft.Azure.Cosmos.Encryption\src>dotnet --list-sdks
3.1.426 [C:\Program Files\dotnet\sdk]
6.0.321 [C:\Program Files\dotnet\sdk]
6.0.427 [C:\Program Files\dotnet\sdk]
7.0.120 [C:\Program Files\dotnet\sdk]
8.0.403 [C:\Program Files\dotnet\sdk]
9.0.100-rc.1.24452.12 [C:\Program Files\dotnet\sdk]

e:\src\v31\Microsoft.Azure.Cosmos.Encryption\src>

@kirankumarkolli
Copy link
Member

System.Net.Http is a transitive dependency through Azure.Core.
Earlier we had older Azure.Core version as dependency resulting in above warning, now we upgraded to latest version and that fixed the issue.

@seesharprun
Copy link
Author

My issue is now resolved. I'll close this request

@seesharprun seesharprun closed this Nov 1, 2024
@kirankumarkolli
Copy link
Member

Thank you @seesharprun.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pilchie Pilchie Pilchie left review comments

@kirankumarkolli kirankumarkolli Awaiting requested review from kirankumarkolli kirankumarkolli is a code owner

@FabianMeiswinkel FabianMeiswinkel Awaiting requested review from FabianMeiswinkel FabianMeiswinkel is a code owner

@sboshra sboshra Awaiting requested review from sboshra sboshra is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@seesharprun @kirankumarkolli @Pilchie