Fix vulnerable package dependencies #2814
Description
The vulnerability check CI has been broken so I went ahead and fixed it. The problem is that it now fails with actual vulnerabilities and we should fix them. I've tried doing that for example for project Benchmarks but even after updating packages to their latest versions, the vulnerability stayed.
The following sources were used:
https://api.nuget.org/v3/index.json
https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json
https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json
https://pkgs.dev.azure.com/dnceng/public/_packaging/perfview-build/nuget/v3/index.json
Project `Sentry.Benchmarks` has the following vulnerable packages
[net6.0]:
Transitive Package Resolved Severity Advisory URL
> Microsoft.NETCore.Jit 1.0.2 High https://github.com/advisories/GHSA-xcvr-qv8h-m7xw
The given project `Sentry.Samples.Android` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.AspNetCore.Basic` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.AspNetCore.Blazor.Server` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.AspNetCore.Blazor.Wasm` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.AspNetCore.Grpc` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.AspNetCore.Mvc` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.AspNetCore.Serilog` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.Aws.Lambda.AspNetCoreServer` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.Azure.Functions.Worker` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.Console.Basic` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.Console.Customized` has no vulnerable packages given the current sources.
Project `Sentry.Samples.Console.Profiling` has the following vulnerable packages
[net6.0]:
Transitive Package Resolved Severity Advisory URL
> Microsoft.NETCore.Jit 1.0.2 High https://github.com/advisories/GHSA-xcvr-qv8h-m7xw
> System.Net.Http 4.3.0 High https://github.com/advisories/GHSA-7jgj-8wvc-jh57
The given project `Sentry.Samples.EntityFramework` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.GenericHost` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.Google.Cloud.Functions` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.GraphQL.Client.Http` has no vulnerable packages given the current sources.
Project `Sentry.Samples.GraphQL.Server` has the following vulnerable packages
[net7.0]:
Transitive Package Resolved Severity Advisory URL
> Swashbuckle.AspNetCore.SwaggerUI 6.1.5 Moderate https://github.com/advisories/GHSA-qrmm-w75w-3wpx
The given project `Sentry.Samples.Ios` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.Log4Net` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.ME.Logging` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.MacCatalyst` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.Maui` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.NLog` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.OpenTelemetry.AspNetCore` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.OpenTelemetry.Console` has no vulnerable packages given the current sources.
The given project `Sentry.Samples.Serilog` has no vulnerable packages given the current sources.
The given project `Sentry.Android.AssemblyReader` has no vulnerable packages given the current sources.
The given project `Sentry.AspNet` has no vulnerable packages given the current sources.
The given project `Sentry.AspNetCore.Grpc` has no vulnerable packages given the current sources.
The given project `Sentry.AspNetCore` has no vulnerable packages given the current sources.
The given project `Sentry.Azure.Functions.Worker` has no vulnerable packages given the current sources.
The given project `Sentry.Bindings.Android` has no vulnerable packages given the current sources.
The given project `Sentry.Bindings.Cocoa` has no vulnerable packages given the current sources.
The given project `Sentry.DiagnosticSource` has no vulnerable packages given the current sources.
The given project `Sentry.EntityFramework` has no vulnerable packages given the current sources.
The given project `Sentry.Extensions.Logging` has no vulnerable packages given the current sources.
The given project `Sentry.Google.Cloud.Functions` has no vulnerable packages given the current sources.
The given project `Sentry.Log4Net` has no vulnerable packages given the current sources.
Project `Sentry.Maui` has the following vulnerable packages
[net6.0]: No vulnerable packages for this framework.
[net6.0-android31.0]: No vulnerable packages for this framework.
[net6.0-ios[16](https://github.com/getsentry/sentry-dotnet/actions/runs/6809399976/job/18515603881#step:5:17).1]: No vulnerable packages for this framework.
[net6.0-maccatalyst16.1]: No vulnerable packages for this framework.
[net6.0-tizen7.0]:
Transitive Package Resolved Severity Advisory URL
> SkiaSharp 2.88.2 High https://github.com/advisories/GHSA-j7hp-h8jx-5ppr
[net6.0-windows10.0.[19](https://github.com/getsentry/sentry-dotnet/actions/runs/6809399976/job/18515603881#step:5:20)041]: No vulnerable packages for this framework.
The given project `Sentry.NLog` has no vulnerable packages given the current sources.
The given project `Sentry.OpenTelemetry` has no vulnerable packages given the current sources.
Project `Sentry.Profiling` has the following vulnerable packages
[net6.0]:
Transitive Package Resolved Severity Advisory URL
> Microsoft.NETCore.Jit 1.0.2 High https://github.com/advisories/GHSA-xcvr-qv8h-m7xw
> System.Net.Http 4.3.0 High https://github.com/advisories/GHSA-7jgj-8wvc-jh57
The given project `Sentry.Serilog` has no vulnerable packages given the current sources.
The given project `Sentry` has no vulnerable packages given the current sources.
The given project `AndroidTestApp` has no vulnerable packages given the current sources.
The given project `TestUtils.DeviceTests.Runners.SourceGen` has no vulnerable packages given the current sources.
The given project `TestUtils.DeviceTests.Runners` has no vulnerable packages given the current sources.
The given project `TestUtils.DeviceTests` has no vulnerable packages given the current sources.
The given project `Sentry.Android.AssemblyReader.Tests` has no vulnerable packages given the current sources.
The given project `Sentry.AspNet.Tests` has no vulnerable packages given the current sources.
The given project `Sentry.AspNetCore.Grpc.Tests` has no vulnerable packages given the current sources.
Project `Sentry.AspNetCore.TestUtils` has the following vulnerable packages
[netcoreapp3.1]: No vulnerable packages for this framework.
[net48]:
Transitive Package Resolved Severity Advisory URL
> Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets 2.1.3 High https://github.com/advisories/GHSA-vmch-3w2x-vhgq
[net6.0]: No vulnerable packages for this framework.
[net7.0]: No vulnerable packages for this framework.
Project `Sentry.AspNetCore.Tests` has the following vulnerable packages
[netcoreapp3.1]: No vulnerable packages for this framework.
[net48]:
Transitive Package Resolved Severity Advisory URL
> Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets 2.1.3 High https://github.com/advisories/GHSA-vmch-3w2x-vhgq
[net6.0]: No vulnerable packages for this framework.
[net7.0]: No vulnerable packages for this framework.
The given project `Sentry.Azure.Functions.Worker.Tests` has no vulnerable packages given the current sources.
Project `Sentry.DiagnosticSource.IntegrationTests` has the following vulnerable packages
[netcoreapp3.1]:
Transitive Package Resolved Severity Advisory URL
> Azure.Identity 1.6.0 High https://github.com/advisories/GHSA-5mfx-4wcx-rv[27](https://github.com/getsentry/sentry-dotnet/actions/runs/6809399976/job/18515603881#step:5:28)
[net48]:
Transitive Package Resolved Severity Advisory URL
> Azure.Identity 1.6.0 High https://github.com/advisories/GHSA-5mfx-4wcx-rv27
[net6.0]:
Transitive Package Resolved Severity Advisory URL
> Azure.Identity 1.6.0 High https://github.com/advisories/GHSA-5mfx-4wcx-rv27
[net7.0]:
Transitive Package Resolved Severity Advisory URL
> Azure.Identity 1.6.0 High https://github.com/advisories/GHSA-5mfx-4wcx-rv27
The given project `Sentry.DiagnosticSource.Tests` has no vulnerable packages given the current sources.
The given project `Sentry.EntityFramework.Tests` has no vulnerable packages given the current sources.
The given project `Sentry.Extensions.Logging.Tests` has no vulnerable packages given the current sources.
The given project `Sentry.Google.Cloud.Functions.Tests` has no vulnerable packages given the current sources.
The given project `Sentry.Log4Net.Tests` has no vulnerable packages given the current sources.
The given project `Sentry.Maui.Device.TestApp` has no vulnerable packages given the current sources.
The given project `Sentry.Maui.Tests` has no vulnerable packages given the current sources.
The given project `Sentry.NLog.Tests` has no vulnerable packages given the current sources.
The given project `Sentry.OpenTelemetry.Tests` has no vulnerable packages given the current sources.
Project `Sentry.Profiling.Tests` has the following vulnerable packages
[net6.0]:
Transitive Package Resolved Severity Advisory URL
> Microsoft.NETCore.Jit 1.0.2 High https://github.com/advisories/GHSA-xcvr-qv8h-m7xw
[net7.0]:
Transitive Package Resolved Severity Advisory URL
> Microsoft.NETCore.Jit 1.0.2 High https://github.com/advisories/GHSA-xcvr-qv8h-m7xw
Project `Sentry.Serilog.Tests` has the following vulnerable packages
[netcoreapp3.1]: No vulnerable packages for this framework.
[net48]:
Transitive Package Resolved Severity Advisory URL
> Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets 2.1.3 High https://github.com/advisories/GHSA-vmch-3w2x-vhgq
[net6.0]: No vulnerable packages for this framework.
[net7.0]: No vulnerable packages for this framework.
The given project `Sentry.Testing.CrashableApp` has no vulnerable packages given the current sources.
The given project `Sentry.Testing` has no vulnerable packages given the current sources.
The given project `Sentry.Tests` has no vulnerable packages given the current sources.
The given project `SingleFileTestApp` has no vulnerable packages given the current sources.
Project `TraceEvent` has the following vulnerable packages
[netstandard2.0]:
Transitive Package Resolved Severity Advisory URL
> Microsoft.NETCore.Jit 1.0.2 High https://github.com/advisories/GHSA-xcvr-qv8h-m7xw
> System.Net.Http 4.3.0 High https://github.com/advisories/GHSA-7jgj-8wvc-jh57
The given project `FastSerialization` has no vulnerable packages given the current sources.
Project `Sentry.Benchmarks` has the following vulnerable packages
Project `Sentry.Samples.Console.Profiling` has the following vulnerable packages
Project `Sentry.Samples.GraphQL.Server` has the following vulnerable packages
Project `Sentry.Maui` has the following vulnerable packages
Project `Sentry.Profiling` has the following vulnerable packages
Project `Sentry.AspNetCore.TestUtils` has the following vulnerable packages
Project `Sentry.AspNetCore.Tests` has the following vulnerable packages
Project `Sentry.DiagnosticSource.IntegrationTests` has the following vulnerable packages
Project `Sentry.Profiling.Tests` has the following vulnerable packages
Project `Sentry.Serilog.Tests` has the following vulnerable packages
Project `TraceEvent` has the following vulnerable packages
Additionally, the vulnerability check today relies on parsing text output. Instead, I think we should use JSON
dotnet list .\benchmarks\Sentry.Benchmarks\Sentry.Benchmarks.csproj package --vulnerable --include-transitive --format json
{
"version": 1,
"parameters": "--vulnerable --include-transitive",
"sources": [
"https://api.nuget.org/v3/index.json",
"https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json",
"https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public/nuget/v3/index.json",
"https://pkgs.dev.azure.com/dnceng/public/_packaging/perfview-build/nuget/v3/index.json"
],
"projects": [
{
"path": "C:/dev/dotnet/benchmarks/Sentry.Benchmarks/Sentry.Benchmarks.csproj",
"frameworks": [
{
"framework": "net6.0",
"transitivePackages": [
{
"id": "Microsoft.NETCore.Jit",
"resolvedVersion": "1.0.2",
"vulnerabilities": [
{
"severity": "High",
"advisoryurl": "https://github.com/advisories/GHSA-xcvr-qv8h-m7xw"
}
]
}
]
}
]
}
]
}