Skip to content

Updating build to check for vulnerabilities #1026

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Dec 9, 2023
Merged

Updating build to check for vulnerabilities #1026

merged 7 commits into from
Dec 9, 2023

Conversation

Francisco-Gamino
Copy link
Contributor

@Francisco-Gamino Francisco-Gamino commented Dec 3, 2023
edited
Loading

Issue describing the changes in this PR

Resolves #1023

This PR contains the following changes:

  • Added Check-CsprojVulnerabilities.ps1 to ensure that the dependencies of the worker, unit test, and E2E test projects are up-to-date.
  • Introduced a new stage in the pipeline named Check for security vulnerabilities that invokes Check-CsprojVulnerabilities.ps1.
  • Upgraded dependencies with vulnerabilities in the unit test and E2E test projects.

Below is a screenshot of the new stage in the pipeline.
image

If vulnerabilities are found, the user can run Check-CsprojVulnerabilities.ps1 -PrintReport locally to see which packages need to be upgraded.

PS E:\GH\azure-functions-powershell-worker> .\Check-CsprojVulnerabilities.ps1 -PrintReport
Analyzing 'E:\GH\azure-functions-powershell-worker/src/Microsoft.Azure.Functions.PowerShellWorker.csproj' for vulnerabilities...
  Determining projects to restore...
  All projects are up-to-date for restore.
No vulnerabilities found

Analyzing 'E:\GH\azure-functions-powershell-worker/test/Unit/Microsoft.Azure.Functions.PowerShellWorker.Test.csproj' for vulnerabilities...
  Determining projects to restore...
  All projects are up-to-date for restore.
No vulnerabilities found

Analyzing 'E:\GH\azure-functions-powershell-worker/test/E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E/Azure.Functions.PowerShellWorker.E2E.csproj' for vulnerabilities...
  Determining projects to restore...
  All projects are up-to-date for restore.

Vulnerabilities found!
The following sources were used:
   https://api.nuget.org/v3/index.json
   https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-tools/nuget/v3/index.json
   https://azfunc.pkgs.visualstudio.com/e6a70c92-4128-439f-8012-382fe78d6396/_packaging/AzureFunctions%40internalrelease/nuget/v3/index.json
   https://azfunc.pkgs.visualstudio.com/e6a70c92-4128-439f-8012-382fe78d6396/_packaging/AzureFunctions%40staging/nuget/v3/index.json
   C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

Project `Azure.Functions.PowerShellWorker.E2E` has the following vulnerable packages
   [net8.0]:
   Transitive Package                    Resolved   Severity   Advisory URL
   > System.Net.Http                     4.3.0      High       https://github.com/advisories/GHSA-7jgj-8wvc-jh57
   > System.Text.RegularExpressions      4.3.0      High       https://github.com/advisories/GHSA-cmhx-cq75-c4mj


PS E:\GH\azure-functions-powershell-worker>

Pull request checklist

  • My changes do not require documentation changes
    • Otherwise: Documentation issue linked to PR
  • My changes should not be added to the release notes for the next release
    • Otherwise: I've added my notes to release_notes.md
  • My changes do not need to be backported to a previous version
    • Otherwise: Backport tracked by issue/PR #issue_or_pr
  • I have added all required tests (Unit tests, E2E tests)

Additional information

Additional PR information

@Francisco-Gamino Francisco-Gamino changed the title Updating build to check for vulerabilties Updating build to check for vulnerabilities Dec 3, 2023
@Francisco-Gamino
Copy link
Contributor Author

/cc @davidmrdavid

@Francisco-Gamino Francisco-Gamino merged commit 89e8399 into dev Dec 9, 2023
Francisco-Gamino added a commit that referenced this pull request Dec 9, 2023
@Francisco-Gamino
Updating build to check for vulnerabilities (#1026)
23cec0e 
* Add Check-CsprojVulnerabilities.ps1 script

* Do not print report by default

* Add check for security vulnerabilities stage in the pipeline

* Update test projects dependencies
@Francisco-Gamino Francisco-Gamino mentioned this pull request Dec 9, 2023
Merged
7 tasks
@Francisco-Gamino
Copy link
Contributor Author

Francisco-Gamino commented Dec 9, 2023
edited
Loading

@amamounelsayed @khkh-ms -- After merging this PR, we will check for vulnerabilities in the worker dependencies for both PowerShell 7.2 and 7.4.

Francisco-Gamino added a commit that referenced this pull request Dec 12, 2023
@Francisco-Gamino
Updating build to check for vulnerabilities (#1026) (#1027)
a0af8af 
* Add Check-CsprojVulnerabilities.ps1 script

* Do not print report by default

* Add check for security vulnerabilities stage in the pipeline

* Update test projects dependencies
andystaples pushed a commit that referenced this pull request Jun 21, 2024
@Francisco-Gamino @andystaples
Updating build to check for vulnerabilities (#1026)
5d4b7f8 
* Add Check-CsprojVulnerabilities.ps1 script

* Do not print report by default

* Add check for security vulnerabilities stage in the pipeline

* Update test projects dependencies
andystaples added a commit that referenced this pull request Jun 24, 2024
@andystaples
Cherrypick 1ES pipelines to 7.0 (#1076)
4e7e669 
* Add code-mirror.yml
* Convert build pipeline to 1ES (#1061)
- Remove old pipeline
- Changes to build.ps1 for new pipeline
* Remove NuGet Config (#1074)
* Updating build to check for vulnerabilities (#1026)
* Add Check-CsprojVulnerabilities.ps1 script
* Update test projects dependencies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AnatoliB AnatoliB AnatoliB left review comments

@soninaren soninaren soninaren approved these changes

@andystaples andystaples andystaples approved these changes

@davidmrdavid davidmrdavid Awaiting requested review from davidmrdavid

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update PowerShell language worker build to check and flag vulnerabilities in the resolved dependencies

4 participants

@Francisco-Gamino @soninaren @AnatoliB @andystaples