Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update .NET dependencies [ALLOW INTERMEDIATE BUILDS] #422

Merged
merged 4 commits into from Nov 17, 2021
Merged

Update .NET dependencies [ALLOW INTERMEDIATE BUILDS] #422

merged 4 commits into from Nov 17, 2021

Conversation

kate-goldenring
Copy link
Contributor

What this PR does / why we need it:

Snyk reported some vulnerabilities in our .NET dependencies. This updates them to their latest versions. The result was an overall reduction in vulnerabilities and a decrease in the size of the OPENCV container (by ~100MB) and ONVIF broker (by ~100MB).

Special notes for your reviewer:

Summary of .NET vulnerabilities in samples

akri/samples/brokers/onvif-video-broker

No vulnerabilities
Output of snyk test

Organization:      kate-goldenring
Package manager:   nuget
Target file:       obj/project.assets.json
Project name:      onvif-video-broker
Open source:       no
Project path:      /home/kagold/akri-fork/samples/brokers/onvif-video-broker
Licenses:          enabled

✔ Tested 40 dependencies for known issues, no vulnerable paths found.

akri/samples/brokers/opcua-monitoring-broker

Before updating, Snyk found 12 issues. This was reduced to 4 after updating dependencies.
All 4 vulnerabilities come from OPCFoundation.NetStandard.Opc.Ua. Some persisted even after updating to the latest version. OPCFoundation.NetStandard.Opc.Ua must update the versions of System.Text.RegularExpressions, System.IO.Pipelines, and System.Text.Encodings.Web to remove some of the vulnerabilities. And the first vulnerability recommends a use pattern. This OPC UA broker is only used for samples/demos and is not for production cases.

Output of snyk test:

✗ Medium severity vulnerability found in OPCFoundation.NetStandard.Opc.Ua
  Description: Improper Certificate Validation
  Info: https://snyk.io/vuln/SNYK-DOTNET-OPCFOUNDATIONNETSTANDARDOPCUA-1075446
  Introduced through: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42

✗ High severity vulnerability found in System.Text.RegularExpressions
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTREGULAREXPRESSIONS-174708
  Introduced through: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42, OPCFoundation.NetStandard.Opc.Ua.Symbols@1.4.367.42
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Core@1.4.367.42 > System.Data.Common@4.3.0 > System.Text.RegularExpressions@4.3.0
  From: OPCFoundation.NetStandard.Opc.Ua.Symbols@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Core.Debug@1.4.367.42 > System.Data.Common@4.3.0 > System.Text.RegularExpressions@4.3.0
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Core@1.4.367.42 > System.Data.Common@4.3.0 > System.Text.RegularExpressions@4.3.0
  and 25 more...
  Fixed in: 4.3.1

✗ High severity vulnerability found in System.IO.Pipelines
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-DOTNET-SYSTEMIOPIPELINES-72389
  Introduced through: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42, OPCFoundation.NetStandard.Opc.Ua.Symbols@1.4.367.42
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https@1.4.367.42 > Microsoft.AspNetCore.Server.Kestrel.Core@2.1.25 > Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions@2.1.3 > Microsoft.AspNetCore.Connections.Abstractions@2.1.3 > System.IO.Pipelines@4.5.0
  From: OPCFoundation.NetStandard.Opc.Ua.Symbols@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https.Debug@1.4.367.42 > Microsoft.AspNetCore.Server.Kestrel.Core@2.1.25 > Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions@2.1.3 > Microsoft.AspNetCore.Connections.Abstractions@2.1.3 > System.IO.Pipelines@4.5.0
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https@1.4.367.42 > Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets@2.1.3 > Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions@2.1.3 > Microsoft.AspNetCore.Connections.Abstractions@2.1.3 > System.IO.Pipelines@4.5.0
  and 9 more...
  Fixed in: 4.5.1

✗ Critical severity vulnerability found in System.Text.Encodings.Web
  Description: Remote Code Execution (RCE)
  Info: https://snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTENCODINGSWEB-1253267
  Introduced through: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42, OPCFoundation.NetStandard.Opc.Ua.Symbols@1.4.367.42
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https@1.4.367.42 > Microsoft.AspNetCore.Server.Kestrel.Https@2.1.3 > Microsoft.AspNetCore.Http.Abstractions@2.1.1 > System.Text.Encodings.Web@4.5.0
  From: OPCFoundation.NetStandard.Opc.Ua.Symbols@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https.Debug@1.4.367.42 > Microsoft.AspNetCore.Server.Kestrel.Https@2.1.3 > Microsoft.AspNetCore.Http.Abstractions@2.1.1 > System.Text.Encodings.Web@4.5.0
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https@1.4.367.42 > Microsoft.AspNetCore.Server.Kestrel.Core@2.1.25 > Microsoft.AspNetCore.WebUtilities@2.1.1 > System.Text.Encodings.Web@4.5.0
  and 29 more...
  Fixed in: 4.5.1, 4.7.2, 5.0.1



Organization:      kate-goldenring
Package manager:   nuget
Target file:       obj/project.assets.json
Project name:      opcua-monitoring-broker
Open source:       no
Project path:      /home/kagold/akri-fork/samples/brokers/opcua-monitoring-broker
Licenses:          enabled

Tested 127 dependencies for known issues, found 4 issues, 73 vulnerable paths.

akri/samples/opcua-certificate-generator

One additional pipeline dependency was added by increasing the dependency OPCFoundation.NetStandard.Opc.Ua version. As with the opcua-monitoring-broker, all dependencies come from OPCFoundation.NetStandard.Opc.Ua.

✗ Medium severity vulnerability found in OPCFoundation.NetStandard.Opc.Ua
  Description: Improper Certificate Validation
  Info: https://snyk.io/vuln/SNYK-DOTNET-OPCFOUNDATIONNETSTANDARDOPCUA-1075446
  Introduced through: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42

✗ High severity vulnerability found in System.Text.RegularExpressions
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTREGULAREXPRESSIONS-174708
  Introduced through: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Core@1.4.367.42 > System.Data.Common@4.3.0 > System.Text.RegularExpressions@4.3.0
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Core@1.4.367.42 > System.Data.Common@4.3.0 > System.Text.RegularExpressions@4.3.0
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Configuration@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Core@1.4.367.42 > System.Data.Common@4.3.0 > System.Text.RegularExpressions@4.3.0
  and 11 more...
  Fixed in: 4.3.1

✗ High severity vulnerability found in System.IO.Pipelines
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-DOTNET-SYSTEMIOPIPELINES-72389
  Introduced through: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https@1.4.367.42 > Microsoft.AspNetCore.Server.Kestrel.Core@2.1.25 > Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions@2.1.3 > Microsoft.AspNetCore.Connections.Abstractions@2.1.3 > System.IO.Pipelines@4.5.0
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https@1.4.367.42 > Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets@2.1.3 > Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions@2.1.3 > Microsoft.AspNetCore.Connections.Abstractions@2.1.3 > System.IO.Pipelines@4.5.0
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https@1.4.367.42 > Microsoft.AspNetCore.Server.Kestrel.Https@2.1.3 > Microsoft.AspNetCore.Server.Kestrel.Core@2.1.25 > Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions@2.1.3 > Microsoft.AspNetCore.Connections.Abstractions@2.1.3 > System.IO.Pipelines@4.5.0
  and 3 more...
  Fixed in: 4.5.1

✗ Critical severity vulnerability found in System.Text.Encodings.Web
  Description: Remote Code Execution (RCE)
  Info: https://snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTENCODINGSWEB-1253267
  Introduced through: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https@1.4.367.42 > Microsoft.AspNetCore.Server.Kestrel.Https@2.1.3 > Microsoft.AspNetCore.Http.Abstractions@2.1.1 > System.Text.Encodings.Web@4.5.0
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https@1.4.367.42 > Microsoft.AspNetCore.Server.Kestrel.Core@2.1.25 > Microsoft.AspNetCore.WebUtilities@2.1.1 > System.Text.Encodings.Web@4.5.0
  From: OPCFoundation.NetStandard.Opc.Ua@1.4.367.42 > OPCFoundation.NetStandard.Opc.Ua.Bindings.Https@1.4.367.42 > Microsoft.AspNetCore.Server.Kestrel.Core@2.1.25 > Microsoft.AspNetCore.Hosting.Abstractions@2.1.1 > Microsoft.AspNetCore.Http.Abstractions@2.1.1 > System.Text.Encodings.Web@4.5.0
  and 13 more...
  Fixed in: 4.5.1, 4.7.2, 5.0.1



Organization:      kate-goldenring
Package manager:   nuget
Target file:       obj/project.assets.json
Project name:      opcua-certificate-generator
Open source:       no
Project path:      /home/kagold/akri-fork/samples/opcua-certificate-generator
Licenses:          enabled

Tested 108 dependencies for known issues, found 4 issues, 37 vulnerable paths.

If applicable:

  • version has been updated appropriately (./version.sh)
  • all commits pass the DCO bot check by being signed off -- see the failing DCO check for instructions on how to retroactively sign commits

@kate-goldenring
update dotnet dependencies
16b9432 
Signed-off-by: Kate Goldenring <kate.goldenring@microsoft.com>
@kate-goldenring
increase version
d6766d6 
Signed-off-by: Kate Goldenring <kate.goldenring@microsoft.com>
@kate-goldenring
increase OPENCV base version
fd41dc6 
Signed-off-by: Kate Goldenring <kate.goldenring@microsoft.com>
@kate-goldenring
Fix library use
52aeccc 
Signed-off-by: Kate Goldenring <kate.goldenring@microsoft.com>
@kate-goldenring kate-goldenring merged commit 5e77808 into project-akri:main Nov 17, 2021
@kate-goldenring kate-goldenring deleted the dotnet-deps-update branch November 17, 2021 16:43
@kate-goldenring kate-goldenring mentioned this pull request Nov 17, 2021
Merged
2 tasks
vincepnguyen pushed a commit that referenced this pull request Nov 23, 2021
@kate-goldenring
Update .NET dependencies [ALLOW INTERMEDIATE BUILDS] (#422)
153b894 
Signed-off-by: Kate Goldenring <kate.goldenring@microsoft.com>
Signed-off-by: vincepnguyen <70007233+vincepnguyen@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bfjelds bfjelds bfjelds approved these changes

@Britel Britel Awaiting requested review from Britel Britel is a code owner

@jiria jiria Awaiting requested review from jiria jiria is a code owner

@romoh romoh Awaiting requested review from romoh romoh is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kate-goldenring @bfjelds