-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update dependencies to fix CVE warnings #369
Merged
Merged
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is going to have any effect (as these are transitive dependencies and you have not added any references in this PR) or that this is the right approach in the first place.
Imagine you're developing application
Aand have the following dependency chainWhat if
E1.0 is declared as vulnerable? ShouldDrelease a new version bumpingEto 1.0.1,CbumpingD,BbumpingC, and finally you referencing newB? Or should justBadd a reference toE1.0.1 (our scenario)? Why would it beB's responsibility? Just because it happens to be your direct dependency? What about users who don't useB, but referenceCdirectly - they'd want the authors ofCto release an update anyway. In other words, a vulnerability fix inEwould trigger an update wave across the entire dependency chain.See what I am trying to say? Should everyone adhere to this approach, every time a new vulnerability in a
System.*package is discovered, millions and millions of Nuget packages would have to release new versions. As far as I am concerned, libraries should only list their direct dependencies and the minimal required versions (above, Newtonsoft.Json has also been bumped to 13, yet it works perfectly fine with 12), and should not concern themselves with transitive dependencies.I know you're trying to solve a real pain point of the Nuget client, but this is not the way to go about it. As the end consumer you should simply use a sane package manager that has better version resolution strategies for transitive dependencies (or do what you have done in this PR, but on the level of your application). I am happy with Zaid merging anyway, so consider this just me pointing out a sustainability problem.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, I've just checked the lock file of one of my applications which uses Remoting, and there is no mention of
Asn1orPkcs. Giraffe v4 used to transitively depend on these, but this is no longer the case with v6, so this change would force me and others to download packages we no longer need.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kerams - Appreciate the long explanation. Agree with your reasoning, but there are confounding factors at play beyond just pure transitivity and engineering concerns.
As to your point, yes, all package vendors should be incentivised to update all packages. If this is painful, hopefully people will be more cautious and introduce less vulnerabilities with bad code and sprawling dependencies. Any 'BIG BAD CVE' should imply that all packages in the dependency chain have an incentive to update, as none of them would 'want to be vulnerable' - in fact, Microsoft is expected to start doing this with .NET 9 and slap some very scary warnings on package restore for anything with a transitive CVE as part of their security efforts, which would render the entire thing required by corporate dictate.
You can see this happening here: https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages#running-a-security-audit-with-restore - Note that .NET 9 is defaulting to include transitive in that table.
More practically and for today, we have a compliance requirement to run
dotnet list package --vulnerable --include-transitive. This needs to pass. These packages are included as transitive dependencies of Fable.Remoting, so need to be updated or removed from that dependency chain.While I agree with you and totally understand that these changes don't do much, especially because they're only used in a testing context here, they're still triggering the warning system.
This is further complicated by the fact that we're using Snowflaqe to generate code, which means we can't just go and update the project A in the dependency chain to begin with.
If we don't want to merge this PR, then please can we ensure that projects using this correctly pass
dotnet list package --vulnerable --include-transitive)Our most likely solution if this is not merged (or we don't find some way of unfuckulating this nuget warning) is to move away from Fable.Remoting entirely as we only use a tiny subset of this library - something we really don't want to do.
See also - a blog post from microsoft about best practices: https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/
To summarise - let's do whatever we can to make the warnings go away - we'll need to do that for .Net 9 anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I fundamentally disagree with is auditing class libraries (even though that's what's showcased in the linked blog post).
This package is vulnerable in the sense that it is compatible with a version of System.Text.Json which has a CVE. It does not require such a version, merely supports it.
If you reference FSharp.SystemTextJson in your class library and run
dotnet list package --vulnerable --include-transitive,you will indeed see a warning(sorry, this is not true, nuget will resolve the lowest dependency by default, v6, which isn't vulnerable - v7 is). However, why would you want to audit your internal class library? After all, it doesn't run on its own.If you then create a
net9.0console application and reference the class library, auditing isn't going to uncover any warnings, because System.Text.Json v9 will have been resolved and no vulnerable code is going to be executing in production.Are you required to audit every single project? In my opinion, outside of some dynamic loading scenarios, auditing class libraries is irrelevant. Returning to the example above, one might think you're at risk, but at the end of the day, you're not actually using any vulnerable versions.
I am not familiar with Snowflaqe, but if I understood the code correctly, it's generating project files, which you don't want to edit manually, right? If you really need the audit to pass for such projects (again, rather than just testing the executable projects), then I reckon it would be best that Snowflaqe inject direct references to safe versions of the packages that have CVEs. At the risk of sounding like a broken record, there will be new CVEs tomorrow, next week or next month, and we'll need to keep releasing new Snowlaqe/Remoting versions. I seriously doubt any nuget package author is interested in doing this either.
I personally use Paket, which uses highest version resulution strategy by default, making all of this a non-issue, but if you're stuck with the nuget client, maybe you could also give CPM a try? It's supposed to solve these problems by the looks of it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the detailed answer - definitely think we're getting somewhere!
Effectively yes - we have compliance requirements that mandate a secure lifecycle + static application security testing every build. Woo hoo bureaucracy.
Most of this way of thinking is coming from the JS ecosystem, I think, where all of these practices such as ten million package updates every week are extremely common - obviously the solution is more bloat and more automation... sigh. (see nonsense like DependaBot)
And yes - we have to ensure we address those continuously. We have meticulously reduced our surface area and dependencies, and continue to shrink as we go to minimize this.
The root cause of this seems to be SnowFlaqe preventing a workaround by adding non-vulnerable packages - you're correct in asserting that - which we're really not inclined to drop as a dependency due to its general utility.
Perhaps @Zaid-Ajaj can chip in here with some comments on how he suggests we resolve this, as it's going to impact more in .NET 9 for the code-gen library - otherwise - what do you suggest to as simply as possible 'make the warnings go away' for the security audit?
Appreciating the fruitful and constructive discussion here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general I agree with @kerams on this one but I can understand where @varon is coming from. Strictly it shouldn't be needed for us to go and update every time a vulnerability is discovered but I don't mind doing it as long as it doesn't happen too often (hopefully) and I can find some time between my day job / life to look into it and do the publishing.