arcade
arcade copied to clipboard
dotnet
Avoid .NET Standard 1.x dependencies in core stack repositories
Just recently, many of our core stack repositories received Component Governance issues because of references to vulnerable package versions. Most warnings were mitigated by upgrading the transitive dependencies but repositories could actually avoid them all-together. Vulnerable dependencies are often transitively referenced via the NETStandard.Library package which is implicitly referenced when targeting or consuming netstandard1.x assets. Avoiding these dependencies minimizes an app's dependency graph which a) makes restore more efficient, b) avoids maintaining and updating package versions and c) reduces surface area for future vulnerabilities.
Example:
- The
System.Net.Httpnuget package is referenced in many .NET Framework and .NETCoreApp builds in our stack. - That package hasn't been updated in years and all versions except the current (4.3.4) are marked as vulnerable.
- With CG alerts, repositories decided to upgrade that dependency (which is referenced either directly or transitively) to the latest version. While that's a viable approach, it mitigates the current alert but doesn't help avoiding future alerts.
=> Better: As System.Net.Http.dll is inbox in both .NET Framework and .NETCoreApp, that package dependency can be avoided entirely.
- If the dependency is referenced directly on .NETCoreApp, simply remove it. It's already referenced implicitly via the
Microsoft.NETCore.App.Reftargeting pack. - If the dependency is referenced directly on .NETFramework, replace it with
<Reference Include="System.Net.Http" />which brings in the assembly from the .NET Framework installation (GAC). - If the dependency isn't directly referenced, check the app's project.assets.json file to find the dependency that brings it in transitively. Try to avoid that parent dependency by walking up the graph.
Arcade's FlagNetStandard1xDependencies switch validates that projects don't bring in the .NET Standard 1.x dependency graph which consists of de-facto deprecated and vulnerable packages. While some netstandard1.x dependencies can't be avoided, i.e. xunit doesn't provide a netstandard2.0 TFM and won't until v3 ships, most existing (transitive) dependencies can actually be avoided.
Eventually, by removing all netstandard1.x dependencies in at least the source build graph, we can remove the netstandard1.x targeting packs and package TFMs from the SBRP repository. That itself reduces source build's payload size (which our partners care about) and validates that the dependency graph is modern (based on the assumption that netstandard1.x assemblies are usually many years old).
The tables below track enabling that switch in our core stack repositories.
Part of the VMR
| Repository | Status | Note |
|---|---|---|
| arcade | ✅ | https://github.com/dotnet/arcade/commit/bde465ec9a09ed2dc1cd4be6a75c1a0683d4de27, https://github.com/dotnet/arcade/commit/16e645abf72c0c18638a3ee92779c03e30d5db5a, https://github.com/dotnet/arcade/pull/13341, https://github.com/dotnet/arcade/pull/14082 |
| aspnetcore | ||
| cecil | ||
| command-line-api | ||
| deployment-tools | ||
| diagnostics | ||
| emsdk | ||
| format | ✅ | https://github.com/dotnet/format/pull/1812 |
| fsharp | ||
| installer | ||
| msbuild | ||
| nuget-client | ||
| razor | ||
| roslyn-analyzers | ||
| roslyn | ||
| runtime | ✅ | https://github.com/dotnet/runtime/issues/85641, https://github.com/dotnet/runtime/commit/32a16d039dca69cae153a8e6905f697b8035c39d, https://github.com/dotnet/runtime/commit/0b04dfd35d5ae4b9fa6bf745232c381fce2759bf, https://github.com/dotnet/runtime/pull/85701, https://github.com/dotnet/runtime/pull/96795 |
| sdk | ||
| source-build-externals | ||
| source-build-reference-packages | ||
| sourcelink | ✅ | https://github.com/dotnet/sourcelink/commit/87da2ffd8a1df5109a6ba23afcb5298b3cb6f894, https://github.com/dotnet/sourcelink/pull/1015 |
| symreader | ✅ | https://github.com/dotnet/symreader/commit/2c8079e2e8e78c0cd11ac75a32014756136ecdb9 |
| templating | :clock9: | https://github.com/dotnet/templating/pull/6403 |
| test-templates | ||
| vstest | ||
| xdt | :white_check_mark: | https://github.com/dotnet/xdt/commit/fcff05d598308522dc7c328c61e456823cdbee78, https://github.com/dotnet/xdt/commit/8b75ac1423171779f583867ad0fed0457bab9516 |
Outside of the VMR
| Repository | Status | Note |
|---|
cc @ericstj @mmitche @MichaelSimons @SteveMCarroll
Yes. I also presented that in Tactics a few weeks ago. I will make steady progress over the coming weeks.