azure-functions-host icon indicating copy to clipboard operation
azure-functions-host copied to clipboard

Published 20 hours ago verified publisher icon Azure

Remove explicit vulnerabilities check

Open jviau opened this issue 10 months ago • 4 comments

Issue describing the changes in this PR

resolves #issue_for_this_pr

Pull request checklist

IMPORTANT: Currently, changes must be backported to the in-proc branch to be included in Core Tools and non-Flex deployments.

  • [x] Backporting to the in-proc branch is not required
    • Otherwise: Link to backporting PR
  • [x] My changes do not require documentation changes
    • [ ] Otherwise: Documentation issue linked to PR
  • [x] My changes should not be added to the release notes for the next release
    • [ ] Otherwise: I've added my notes to release_notes.md
  • [x] My changes do not need to be backported to a previous version
    • [ ] Otherwise: Backport tracked by issue/PR #issue_or_pr
  • [x] My changes do not require diagnostic events changes
    • Otherwise: I have added/updated all related diagnostic events and their documentation (Documentation issue linked to PR)
  • [x] I have added all required tests (Unit tests, E2E tests)

Additional information

This is an alternative to #10037

Removes the explicit vulnerabilities check. Now that we use the .NET8 SDK this is no longer needed as there is a built in nuget audit as part of the restore phase.

IMPORTANT: There is a behavior difference (which is the goal here), we only fail on moderate and above now. In this case we have CVE GHSA-x674-v45j-fwxw which does not affect us, yet our current approach blocks the build. I could work on a way to integrate suppressions into the existing vuln check script, but when moving to 1ES we will be covered by component governance.

jviau avatar Apr 19 '24 20:04 jviau

Adding @fabiocav as well. We added this to break the build on checking packages. We should discuss how Component Governance can assist here.

FinVamp1 avatar Apr 19 '24 23:04 FinVamp1

Will this create a temporary gap? This check has already helped us identify issues prior to releases, and if we're removing, we want to make sure we don't end up with CVE impacted transitive dependencies as those will be flagged by other tools post-deployment/release.

fabiocav avatar Apr 20 '24 00:04 fabiocav

@FinVamp1, component governance is the official way for Microsoft repos to manage security audits when using open-source software. It will cover transitive dependencies, set due dates, allow extensions and dismissing of not applicable incidents.

jviau avatar Apr 22 '24 17:04 jviau

@fabiocav , @FinVamp1 - I updated the built in dotnet sdk nuget audit: scans transitive dependencies, only fails on a moderate and above.

jviau avatar Apr 22 '24 18:04 jviau

Will be replaced with 1ES work

jviau avatar May 30 '24 17:05 jviau