MQTTnet
MQTTnet copied to clipboard
dotnet
Security alerts on MQTTnet.AspNetCore
Describe the feature request
Analyzing our application with Mend.io revelated 4 security alerts by transitive libraries brought with MQTTnet.AspNetCore.
| Library | Severity | Vulnerability |
|---|---|---|
| system.net.websockets.websocketprotocol.4.5.1 | High | CVE-2019-0564 |
| microsoft.aspnetcore.websockets.2.2.0 | Medium | CVE-2019-0548 |
| microsoft.aspnetcore.websockets.2.2.0 | High | CVE-2019-0564 |
| newtonsoft.json.11.0.2 | High | CVE-2024-21907 |
Which project is your feature request related to?
MQTTnet.AspNetCore 4.3.3.952
Describe the solution you'd like
Upgrading required libraries in the NuGet spec. My temprorary workaround is to add the following package references to my project file:
<!-- Vulnerabilities in MQTTnet.AspNetCore 4.3.3.952 -->
<ItemGroup>
<PackageReference Include="Microsoft.AspNetCore.WebSockets" Version="2.2.1" />
<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
<PackageReference Include="System.Text.Encodings.Web" Version="8.0.0" />
</ItemGroup>
Describe alternatives you've considered
Upgrading higher level NuGets to fix the issues, as microsoft.aspnetcore.http.connections.1.1.0 depends on multiple of these libraries.
microsoft.aspnetcore.http.connections.1.1.0 -> microsoft.aspnetcore.websockets.2.2.0 -> system.net.websockets.websocketprotocol.4.5.1 microsoft.aspnetcore.http.connections.1.1.0 ->newtonsoft.json.11.0.2
Additional context
We should maybe check these dependencies within the project itself.
With the following settings in the projects
<NoWarn>NU1803;NU1901;NU1902</NoWarn>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<NuGetAuditMode>all</NuGetAuditMode>
<NuGetAudit>true</NuGetAudit>
this can be checked automatically within Visual studio.
Explanation:
-
<NoWarn>NU1803;NU1901;NU1902</NoWarn>: --> NU1803 suppresses errors if an internal NuGet feed is used without HTTPS (Guess, we don't need this here) --> NU1901 and NU1902 suppress package vulnerabilites with low impact (Might be useful if no patches are there yet?) -
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>--> Treats all warnings as errors which means that if a package dependency has security issues, the build will fail -
<NuGetAuditMode>all</NuGetAuditMode>--> Checks direct and transitive packages -
<NuGetAudit>true</NuGetAudit>--> Turns the audit mode off or on
@chkr1011 Just as an idea to get notified when such issues occur in the future. Read https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages for detailed information.
Support for old versions is dropped in version 5 of the library so that the warnings will also disappear. @SeppPenner Do you want to create the PR for version 5 so that we get errors when we have security issues?
Does dropping support mean, that there is no longer any possibility to use MQTTnet with net48 or netstandard2.0? Unfortunately, this is one of our use cases the vendor of some hardware component (CNC control) only offers full framework libraries. And the hardware will still be several years (decades) used by our customers. Only the latest hardware generation is now supported by .NET 5+.
.NET 48 as such will still be supported by Microsoft for several years, there is no end date announced yet https://learn.microsoft.com/en-us/lifecycle/products/microsoft-net-framework.
Does dropping support mean, that there is no longer any possibility to use MQTTnet with net48 or netstandard2.0?
I would say yes.
Version 5 of the library will support .NET 8+ only. But version 4 remains available and will receive hotfixes. But no features or big improvements.
Support for old versions is dropped in version 5 of the library so that the warnings will also disappear. @SeppPenner Do you want to create the PR for version 5 so that we get errors when we have security issues?
PR is here: https://github.com/dotnet/MQTTnet/pull/2016.