OneOf icon indicating copy to clipboard operation
OneOf copied to clipboard
verified publisher icon mcintyre321

Target netstandard2.0 in OneOf.Extended

Open Swimburger opened this issue 1 year ago • 5 comments

We enjoy using OneOf and are also using OneOf.Extended. Unfortunately, OneOf.Extended targets netstandard1.3, but not more recent versions, which introduce vulnerable transitive dependencies to consumers of our libraries.

Our libraries don't target netstandard1.3, but because netstandard1.3 is the highest version and is compatible with our .NET (Core) TFMs, it uses the netstandard1.3 build. As a result, we're forced to include System.Net.Http as a direct nuget dependency to overwrite the version used.

Here's the .NET CLI reporting the vulnerable dependency:

dotnet list OneOf.Extended package --vulnerable --include-transitive

The following sources were used:
   https://api.nuget.org/v3/index.json

Project `OneOf.Extended` has the following vulnerable packages
   [net35]: No vulnerable packages for this framework.
   [net451]: No vulnerable packages for this framework.
   [netstandard1.3]: 
   Transitive Package                    Resolved   Severity   Advisory URL                                     
   > System.Net.Http                     4.3.0      High       https://github.com/advisories/GHSA-7jgj-8wvc-jh57
   > System.Text.RegularExpressions      4.3.0      High       https://github.com/advisories/GHSA-cmhx-cq75-c4mj

This PR adds netstandard2.0 as a TFM which will fix the issue for consumers using netstandard2.0 or above.

output:

dotnet list OneOf.Extended package --vulnerable --include-transitive

The following sources were used:
   https://api.nuget.org/v3/index.json

Project `OneOf.Extended` has the following vulnerable packages
   [net35]: No vulnerable packages for this framework.
   [net451]: No vulnerable packages for this framework.
   [netstandard1.3]: 
   Transitive Package                    Resolved   Severity   Advisory URL                                     
   > System.Net.Http                     4.3.0      High       https://github.com/advisories/GHSA-7jgj-8wvc-jh57
   > System.Text.RegularExpressions      4.3.0      High       https://github.com/advisories/GHSA-cmhx-cq75-c4mj

   [netstandard2.0]: No vulnerable packages for this framework.

Update: I conditionally include a package reference to the vulnerable packages to set their minimum version only when building for netstandard1.3. (Also fixed in OneOf main). I can revert this change tho. Our customers don't use netstandard1.3, so building for 2.0 is sufficient for us.

dotnet list OneOf.Extended package --vulnerable --include-transitive

The following sources were used:
   https://api.nuget.org/v3/index.json

The given project `OneOf.Extended` has no vulnerable packages given the current sources.

Swimburger avatar Nov 26 '24 16:11 Swimburger

Can this be merged? We really appreciate this project, but we cannot depend on it if it isn't patched for security vulnerabilities. We'll have to fork it or find an alternative.

Swimburger avatar Jan 16 '25 19:01 Swimburger

@Swimburger forking maybe, 2mo is quite some time for no interactions regarding a vulnerability issue.

rogerbarreto avatar Jan 17 '25 09:01 rogerbarreto

@mcintyre321 it would be awesome for OneOf to accept this vulnerability patch!

emperador-ming avatar Jan 17 '25 10:01 emperador-ming

Info: you can pin the transient package versions using Central Package Management

Especially these two are pinned in all my projects, because of dependencies in some library in my test projects.

MPapst avatar Jan 17 '25 11:01 MPapst

@MPapst that only works for consumers of libraries, but we're providing libraries to other customers, so it's not a working solution for us unfortunately.

Swimburger avatar Jan 17 '25 17:01 Swimburger