fsharp icon indicating copy to clipboard operation
fsharp copied to clipboard
verified publisher icon dotnet

Enable nuget audit

Open vzarytovskii opened this issue 1 year ago • 4 comments

Fixes https://github.com/dotnet/fsharp/issues/17884

vzarytovskii avatar Oct 16 '24 08:10 vzarytovskii

:white_check_mark: No release notes required

github-actions[bot] avatar Oct 16 '24 08:10 github-actions[bot]

These need to be fixed:

/home/vsts/work/1/s/src/FSharp.Build/FSharp.Build.fsproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/tests/FSharp.Compiler.ComponentTests/FSharp.Compiler.ComponentTests.fsproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/tests/FSharp.Compiler.ComponentTests/FSharp.Compiler.ComponentTests.fsproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57 [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/tests/FSharp.Compiler.ComponentTests/FSharp.Compiler.ComponentTests.fsproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/src/fsi/fsiProject/fsi.fsproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/src/fsc/fscProject/fsc.fsproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/tests/FSharp.Test.Utilities/FSharp.Test.Utilities.fsproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/tests/FSharp.Test.Utilities/FSharp.Test.Utilities.fsproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57 [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/tests/FSharp.Test.Utilities/FSharp.Test.Utilities.fsproj : warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-5f2m-466j-3848 [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/tests/FSharp.Test.Utilities/FSharp.Test.Utilities.fsproj : warning NU1902: Package 'System.Private.Uri' 4.3.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-x5qj-9vmx-7g6g [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/tests/FSharp.Test.Utilities/FSharp.Test.Utilities.fsproj : warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-xhfc-gr8f-ffwc [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/tests/FSharp.Test.Utilities/FSharp.Test.Utilities.fsproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/tests/FSharp.Compiler.Service.Tests/FSharp.Compiler.Service.Tests.fsproj : error NU1903: Warning As Error: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/tests/FSharp.Compiler.Service.Tests/FSharp.Compiler.Service.Tests.fsproj : error NU1903: Warning As Error: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57 [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]
/home/vsts/work/1/s/tests/FSharp.Compiler.Service.Tests/FSharp.Compiler.Service.Tests.fsproj : error NU1903: Warning As Error: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj [/home/vsts/work/1/s/FSharp.Compiler.Service.sln]

vzarytovskii avatar Oct 16 '24 08:10 vzarytovskii

It can be investigated via dotnet nuget why path/to/project.fsproj Package.Name, we might need to force pin some of them.

It will also might be a good idea to move to CPS at some point (might me tricky due to implicit fslib deps).

vzarytovskii avatar Oct 16 '24 11:10 vzarytovskii

This might be handy:

https://github.com/dotnet/arcade/issues/15019#issuecomment-2414604972

T-Gro avatar Oct 17 '24 10:10 T-Gro

Someone needs to finish it, i.e. actually pin packages, this was just testing waters.

vzarytovskii avatar Nov 27 '24 19:11 vzarytovskii