QuickBooks-V3-DotNET-SDK icon indicating copy to clipboard operation
QuickBooks-V3-DotNET-SDK copied to clipboard
verified publisher icon intuit

Fix security vulnerabilities

Open Shane32 opened this issue 1 year ago • 0 comments

Summary:

This pull request addresses package support and security vulnerabilities by updating dependencies to supported versions, adding direct references to eliminate flagged issues, and enforcing stricter build warnings related to security.

Details:

  • Update to Supported .NET Core 2.1 Packages:

    • Microsoft no longer supports .NET Core 2.2 packages; they are marked as deprecated or vulnerable.
    • Certain .NET Core 2.1 packages remain supported by Microsoft, as detailed in their official support policy for ASP.NET Core 2.1 on .NET Framework. This includes packages like Microsoft.AspNetCore and Microsoft.Extensions.Configuration.
    • This PR downgrades the Microsoft.Extensions.Configuration package from version 2.2 to 2.1 to align with Microsoft's supported packages.

  • Mitigate Security Vulnerability in System.Security.Cryptography.Xml:

    • The .NET 9 SDK scans both direct and indirect dependencies, which can surface issues in indirectly referenced packages.
    • An indirect reference to System.Security.Cryptography.Xml version 4.5.0 contains a moderate security vulnerability.
    • This PR adds a direct dependency on System.Security.Cryptography.Xml version 4.7.1 to resolve this vulnerability.

  • Enforce Build Warnings for Security Vulnerabilities:

    • Added settings to the project's .csproj file to prevent building when dependencies contain security vulnerabilities.
    • Specifically, the following lines were added: 
      <!-- .NET 9 SDK default: prevent building when indirect dependencies contain security vulnerabilities -->
<NuGetAuditMode>all</NuGetAuditMode>
<WarningsAsErrors>$(WarningsAsErrors);NU1901;NU1902;NU1903;NU1904</WarningsAsErrors>
    • Setting <NuGetAuditMode>all</NuGetAuditMode> enables auditing of all dependencies for vulnerabilities.
    • Adding NU1901, NU1902, NU1903, NU1904 to <WarningsAsErrors> treats these specific NuGet warnings as errors, causing the build to fail if vulnerabilities are detected.
    • These settings align with the default behavior in .NET 9, enhancing security by enforcing stricter checks during the build process.

Impact:

  • Aligns the project with Microsoft's supported package versions.
  • Eliminates security vulnerabilities detected in indirect dependencies.
  • Enhances compatibility with the .NET 9 SDK's dependency scanning.
  • Enforces stricter build-time security checks to prevent future vulnerabilities from being introduced.

Shane32 avatar Nov 13 '24 21:11 Shane32