Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependencies to prevent exposure to transitive vulnerabilities #348

Merged
merged 6 commits into from
Jan 13, 2025
+120 −27
Merged

Update dependencies to prevent exposure to transitive vulnerabilities #348

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
10b2e69
GitHubSync update - release-3.0
internalautomation[bot] Oct 30, 2024
ea9fbb5
Update packages to prevent transitive CVE
bording Jan 13, 2025
98111b2
Update Fody
bording Jan 13, 2025
7a73c79
Update testing packages
bording Jan 13, 2025
95af65e
Add package reference to prevent transitive CVE
bording Jan 13, 2025
f46ac4f
Update Particular.Packaging
bording Jan 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/Directory.Build.props
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@
<EnableNETAnalyzers>true</EnableNETAnalyzers>
<AnalysisLevel Condition="'$(AnalysisLevel)' == ''">5.0</AnalysisLevel>
<EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
<!-- NuGetAuditMode set to 'all' for tool projects in Directory.Build.targets, other project types default to 'direct' -->
<NuGetAuditLevel>low</NuGetAuditLevel>
<NuGetAuditMode Condition="'$(NuGetAuditMode)' == ''">all</NuGetAuditMode>
<!-- To lock the version of Particular.Analyzers, for example, in a release branch, set this property in Custom.Build.props -->
<ParticularAnalyzersVersion Condition="'$(ParticularAnalyzersVersion)' == ''">2.1.2</ParticularAnalyzersVersion>
<ParticularAnalyzersVersion Condition="'$(ParticularAnalyzersVersion)' == ''">2.1.3</ParticularAnalyzersVersion>
<NServiceBusKey>0024000004800000940000000602000000240000525341310004000001000100dde965e6172e019ac82c2639ffe494dd2e7dd16347c34762a05732b492e110f2e4e2e1b5ef2d85c848ccfb671ee20a47c8d1376276708dc30a90ff1121b647ba3b7259a6bc383b2034938ef0e275b58b920375ac605076178123693c6c4f1331661a62eba28c249386855637780e3ff5f23a6d854700eaa6803ef48907513b92</NServiceBusKey>
<NServiceBusTestsKey>00240000048000009400000006020000002400005253413100040000010001007f16e21368ff041183fab592d9e8ed37e7be355e93323147a1d29983d6e591b04282e4da0c9e18bd901e112c0033925eb7d7872c2f1706655891c5c9d57297994f707d16ee9a8f40d978f064ee1ffc73c0db3f4712691b23bf596f75130f4ec978cf78757ec034625a5f27e6bb50c618931ea49f6f628fd74271c32959efb1c5</NServiceBusTestsKey>
</PropertyGroup>
Expand Down
4 changes: 1 addition & 3 deletions src/Directory.Build.targets
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
<Project>

<PropertyGroup>
<NuGetAuditMode Condition="'$(PackAsTool)' == 'true'">all</NuGetAuditMode>
</PropertyGroup>
<Import Project="msbuild\AutomaticVersionRanges.targets" Condition="Exists('msbuild\AutomaticVersionRanges.targets')" />

</Project>
4 changes: 2 additions & 2 deletions src/NServiceBus.ServicePlatform.Connector.UnitTests/BasicUsage.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,9 +217,9 @@ static string[] GetExplicitSettings(EndpointConfiguration endpointConfig)
var settings = endpointConfig.GetSettings();

var property = typeof(SettingsHolder).GetField("Overrides", BindingFlags.NonPublic | BindingFlags.Instance);
Assert.IsNotNull(property, "Overrides property cannot be found");
Assert.That(property, Is.Not.Null, "Overrides property cannot be found");
var overrides = property.GetValue(settings) as ConcurrentDictionary<string, object>;
Assert.IsNotNull(overrides);
Assert.That(overrides, Is.Not.Null);

return overrides.Keys.ToArray();
}
Expand Down
20 changes: 8 additions & 12 deletions ...ervicePlatform.Connector.UnitTests/NServiceBus.ServicePlatform.Connector.UnitTests.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,25 +9,21 @@
</ItemGroup>

<ItemGroup Label="Testing packages">
<PackageReference Include="GitHubActionsTestLogger" Version="2.3.3" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.9.0" />
<PackageReference Include="NUnit" Version="3.14.0" />
<PackageReference Include="NUnit3TestAdapter" Version="4.5.0" />
<PackageReference Include="GitHubActionsTestLogger" Version="2.4.1" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
<PackageReference Include="NUnit" Version="4.3.2" />
<PackageReference Include="NUnit.Analyzers" Version="4.6.0" />
<PackageReference Include="NUnit3TestAdapter" Version="4.6.0" />
</ItemGroup>

<ItemGroup>
<PackageReference Include="NServiceBus.Extensions.Hosting" Version="3.0.0" />
<PackageReference Include="Particular.Approvals" Version="1.0.0" />
<PackageReference Include="Particular.Approvals" Version="2.0.0" />
<PackageReference Include="PublicApiGenerator" Version="11.1.0" />
</ItemGroup>

<ItemGroup Label="Transitive references">
<PackageReference Include="NServiceBus" Version="9.0.0" />
<PackageReference Include="NServiceBus.CustomChecks" Version="5.0.0" />
<PackageReference Include="NServiceBus.Heartbeat" Version="5.0.0" />
<PackageReference Include="NServiceBus.Metrics" Version="5.0.0" />
<PackageReference Include="NServiceBus.Metrics.ServiceControl" Version="5.0.0" />
<PackageReference Include="NServiceBus.SagaAudit" Version="5.0.0" />
<ItemGroup Label="Direct references to transitive dependencies to avoid versions with CVE">
<PackageReference Include="Microsoft.Extensions.Hosting" Version="8.0.1" />
</ItemGroup>

</Project>
16 changes: 8 additions & 8 deletions src/NServiceBus.ServicePlatform.Connector/NServiceBus.ServicePlatform.Connector.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,18 +12,18 @@
</PropertyGroup>

<ItemGroup Label="Public dependencies">
<PackageReference Include="NServiceBus" Version="[9.0.0, 10.0.0)" />
<PackageReference Include="NServiceBus.CustomChecks" Version="[5.0.0, 6.0.0)" />
<PackageReference Include="NServiceBus.Heartbeat" Version="[5.0.0, 6.0.0)" />
<PackageReference Include="NServiceBus.Metrics" Version="[5.0.0, 6.0.0)" />
<PackageReference Include="NServiceBus.Metrics.ServiceControl" Version="[5.0.0, 6.0.0)" />
<PackageReference Include="NServiceBus.SagaAudit" Version="[5.0.0, 6.0.0)" />
<PackageReference Include="NServiceBus" Version="9.2.3" />
<PackageReference Include="NServiceBus.CustomChecks" Version="5.0.0" />
<PackageReference Include="NServiceBus.Heartbeat" Version="5.0.0" />
<PackageReference Include="NServiceBus.Metrics" Version="5.0.0" />
<PackageReference Include="NServiceBus.Metrics.ServiceControl" Version="5.0.0" />
<PackageReference Include="NServiceBus.SagaAudit" Version="5.0.1" />
</ItemGroup>

<ItemGroup Label="Private dependencies">
<PackageReference Include="Fody" Version="6.8.1" PrivateAssets="All" />
<PackageReference Include="Fody" Version="6.9.1" PrivateAssets="All" />
<PackageReference Include="Obsolete.Fody" Version="5.3.0" PrivateAssets="All" />
<PackageReference Include="Particular.Packaging" Version="4.1.0" PrivateAssets="All" />
<PackageReference Include="Particular.Packaging" Version="4.2.0" PrivateAssets="All" />
</ItemGroup>

</Project>
42 changes: 42 additions & 0 deletions src/msbuild/AutomaticVersionRanges.targets
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
<Project>

<PropertyGroup>
<AutomaticVersionRangesEnabled Condition="'$(AutomaticVersionRangesEnabled)' == '' And '$(Configuration)' == 'Debug'">false</AutomaticVersionRangesEnabled>
<AutomaticVersionRangesEnabled Condition="'$(AutomaticVersionRangesEnabled)' == '' And '$(IsPackable)' == 'false'">false</AutomaticVersionRangesEnabled>
<AutomaticVersionRangesEnabled Condition="'$(AutomaticVersionRangesEnabled)' == '' And '$(ManagePackageVersionsCentrally)' == 'true'">false</AutomaticVersionRangesEnabled>
<AutomaticVersionRangesEnabled Condition="'$(AutomaticVersionRangesEnabled)' == ''">true</AutomaticVersionRangesEnabled>
</PropertyGroup>

<UsingTask TaskName="ConvertToVersionRange" TaskFactory="RoslynCodeTaskFactory" AssemblyFile="$(MSBuildToolsPath)\Microsoft.Build.Tasks.Core.dll">
<Task>
<Code Source="$(MSBuildThisFileDirectory)ConvertToVersionRange.cs" />
</Task>
</UsingTask>

<Target Name="ConvertProjectReferenceVersionsToVersionRanges" AfterTargets="_GetProjectReferenceVersions" Condition="'$(AutomaticVersionRangesEnabled)' == 'true'">
<PropertyGroup>
<NumberOfProjectReferences>@(_ProjectReferencesWithVersions->Count())</NumberOfProjectReferences>
</PropertyGroup>
<ConvertToVersionRange Condition="$(NumberOfProjectReferences) &gt; 0" References="@(_ProjectReferencesWithVersions)" VersionProperty="ProjectVersion">
<Output TaskParameter="ReferencesWithVersionRanges" ItemName="_ProjectReferencesWithVersionRanges" />
</ConvertToVersionRange>
<ItemGroup Condition="$(NumberOfProjectReferences) &gt; 0">
<_ProjectReferencesWithVersions Remove="@(_ProjectReferencesWithVersions)" />
<_ProjectReferencesWithVersions Include="@(_ProjectReferencesWithVersionRanges)" />
</ItemGroup>
</Target>

<Target Name="ConvertPackageReferenceVersionsToVersionRanges" BeforeTargets="CollectPackageReferences" Condition="'$(AutomaticVersionRangesEnabled)' == 'true'">
<PropertyGroup>
<NumberOfPackageReferences>@(PackageReference->Count())</NumberOfPackageReferences>
</PropertyGroup>
<ConvertToVersionRange Condition="$(NumberOfPackageReferences) &gt; 0" References="@(PackageReference)" VersionProperty="Version">
<Output TaskParameter="ReferencesWithVersionRanges" ItemName="_PackageReferencesWithVersionRanges" />
</ConvertToVersionRange>
<ItemGroup Condition="$(NumberOfPackageReferences) &gt; 0">
<PackageReference Remove="@(PackageReference)" />
<PackageReference Include="@(_PackageReferencesWithVersionRanges)" />
</ItemGroup>
</Target>

</Project>
57 changes: 57 additions & 0 deletions src/msbuild/ConvertToVersionRange.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
using System;
using System.Text.RegularExpressions;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;

public class ConvertToVersionRange : Task
{
[Required]
public ITaskItem[] References { get; set; } = [];

[Required]
public string VersionProperty { get; set; } = string.Empty;

[Output]
public ITaskItem[] ReferencesWithVersionRanges { get; private set; } = [];

public override bool Execute()
{
var success = true;

foreach (var reference in References)
{
var automaticVersionRange = reference.GetMetadata("AutomaticVersionRange");

if (automaticVersionRange.Equals("false", StringComparison.OrdinalIgnoreCase))
{
continue;
}

var privateAssets = reference.GetMetadata("PrivateAssets");

if (privateAssets.Equals("All", StringComparison.OrdinalIgnoreCase))
{
continue;
}

var version = reference.GetMetadata(VersionProperty);
var match = Regex.Match(version, @"^\d+");

if (match.Value.Equals(string.Empty, StringComparison.Ordinal))
{
Log.LogError("Reference '{0}' with version '{1}' is not valid for automatic version range conversion. Fix the version or exclude the reference from conversion by setting 'AutomaticVersionRange=\"false\"' on the reference.", reference.ItemSpec, version);
success = false;
continue;
}

var nextMajor = Convert.ToInt32(match.Value) + 1;

var versionRange = $"[{version}, {nextMajor}.0.0)";
reference.SetMetadata(VersionProperty, versionRange);
}

ReferencesWithVersionRanges = References;

return success;
}
}