Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add vuln check in pipeline and resolve package warnings #2691

Open
wants to merge 5 commits into
base: v2.x
Choose a base branch
from

Conversation

davidmrdavid
Copy link
Contributor

@davidmrdavid davidmrdavid commented Dec 8, 2023

Added a step in our pipeline to scan for actionable vulnerabilities in our dependencies (i.e vulnerabilities fixed in a new release of the package) and block the PR if any are found.
Also updated our Azure.Identity dependency to respond to one such warning. Also updated one of our sample dependencies on Newtonsoft.JSON for the same reason.

@@ -49,7 +49,7 @@
<Compile Include="**/*.cs" Exclude="Auth/*.cs;Correlation/*.cs;**/obj/**/*.cs" />
<!-- Don't increase below versions without significantly testing on Functions V1!
Increasing these versions increments some dependencies that have binding redirects in Functions V1. -->
<PackageReference Include="Azure.Identity" Version="1.1.1" />
<PackageReference Include="Azure.Identity" Version="1.10.2" />
Copy link
Contributor Author

@davidmrdavid davidmrdavid Dec 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the comment above about not increasing versions here makes me worry this might not be a safe update ^. However the Functions V1 tests pass and so does a manual local test.

Given this, that Functions V1 is close to EOL, and that DF is not an auto-upgrading component of Functions V1 (not bundles), I'm not too worried about this change.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since Functions V1 is not EOL yet, let's make sure we at least smoke test this with Functions V1 to confirm whether or not it's a breaking change.

@davidmrdavid davidmrdavid changed the title [WIP] add vuln check in pipeline add vuln check in pipeline and resolve package warnings Dec 8, 2023
Copy link
Contributor

@jviau jviau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something to consider: if we just update to .net8 SDK, the build will report vulnerabilities itself.

Would that be sufficient for us?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants