Comments (17)
JamesNK
commented on July 21, 2024
1
That CVE is wrong. Grpc.Net.Client and Grpc.AspNetCore.Server aren't impacted. The .NET HTTP/2 implementation is different.
Can you please give feedback to whoever says those packages are vulnerable that they're wrong and fix their mistake.
from azure-functions-dotnet-worker.
kshyju
commented on July 21, 2024
@seancostigan The servicebus extension package version you mentioned does not have any vulnerabilities. But I see your Microsoft.NET.Sdk.Functions package is not the latest version. Can you please update Microsoft.Azure.Functions.Worker.Sdk package to the latest stable version in your function app project? That should bring the latest version of Microsoft.NET.Sdk.Functions package in the auto genreated WorkerExtensions project. This should solve your issue.
Let us know if you are still experiencing any issues. Thanks!
from azure-functions-dotnet-worker.
seancostigan
commented on July 21, 2024
@kshyju I updated Microsoft.Azure.Functions.Worker.Sdk to the latest version (1.17.1) and that did update Microsoft.NET.Sdk.Functions to 4.3.0 in the WorkerExtensions.csproj
Here are the package references now in WorkerExtensions.csproj:
<ItemGroup>
<PackageReference Include="Microsoft.NETCore.Targets" Version="3.0.0" PrivateAssets="all" />
<PackageReference Include="Microsoft.NET.Sdk.Functions" Version="4.3.0" />
<PackageReference Include="Microsoft.Azure.WebJobs.Extensions.ServiceBus" Version="5.13.5" />
</ItemGroup>However, in the bin/Debug/net8.0/.azurefunctions folder for my Azure Function, it is still referencing the two vulnerable Grpc NuGet packages. I believe those are being pulled in by Microsoft.Azure.WebJobs.Extensions.ServiceBus, so I think that is the package that needs to be updated.
from azure-functions-dotnet-worker.
kshyju
commented on July 21, 2024
Microsoft.Azure.WebJobs.Extensions.ServiceBus 5.13.5 does not have any vulnerabilities. You can verify this by creating a project which has a reference to this package and then run dotnet list package --vulnerable --include-transitive.
Try a dotnet clean and see that helps? Can you run dotnet list package --vulnerable --include-transitive on the auto generated WorkerExtensions project and share what it reports? If it reports any warnings, let's take a binary search approach to narrow down the culprit entry. Try removing half of the package reference entries and execute the command again. try the binary search approach until you find out the package reference entry which is causing the error. Please share what you find.
from azure-functions-dotnet-worker.
seancostigan
commented on July 21, 2024
I ran the dotnet list package --vulnerable --include-transitive command on my project and I get the same results as you (no vulnerable packages). However, the vulnerability scanning tool integrated with my pipeline is reporting two vulnerabilities.
Both are related to this item: https://nvd.nist.gov/vuln/detail/CVE-2023-32731
from azure-functions-dotnet-worker.
kshyju
commented on July 21, 2024
Looks like some other package your project references is causing the issue. Can you share all the package references you have? Can you make sure all of them are the latest stable versions?
from azure-functions-dotnet-worker.
seancostigan
commented on July 21, 2024
I confirmed all the directly referenced packages in my project are at the latest version:
<ItemGroup>
<FrameworkReference Include="Microsoft.AspNetCore.App" />
<PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.21.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.1.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore" Version="1.2.1" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.ServiceBus" Version="5.17.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.17.1" />
<PackageReference Include="Microsoft.ApplicationInsights.WorkerService" Version="2.22.0" />
<PackageReference Include="Microsoft.Azure.Functions.Worker.ApplicationInsights" Version="1.2.0" />
</ItemGroup>Looking at the WorkerExtensions project, I see that the Grpc.AspNetCore.Server and Grpc.Net.Client packages are being pulled in as transitive dependencies from Microsoft.Azure.WebJobs.Extensions.ServiceBus
from azure-functions-dotnet-worker.
kshyju
commented on July 21, 2024
Hm, that is strange, with the nuget command, I still do not see any vulnerability issues being reported for Grpc.Net.Client 2.49.0 when trying in a console app.
May I ask what scanning tool you have in your CI?
from azure-functions-dotnet-worker.
seancostigan
commented on July 21, 2024
We are using Aqua
from azure-functions-dotnet-worker.
kshyju
commented on July 21, 2024
@seancostigan I do not see any information in the linked CVE page which says the Grpc.Net.Client 2.49.0 version is impacted. Can you point me to the page which has this information?
from azure-functions-dotnet-worker.
TroyFridley
commented on July 21, 2024
AquaSec's (Who makes Trivy) vulnerability team associated the issue with the base upstream GRPC source to the NuGet packages. Aqua's page is here: https://avd.aquasec.com/nvd/2023/cve-2023-32731/
That public page contains the same information as NVD. Their tooling reports that the issue also impacts Grpc.Net.Client and Grpc.AspNetCore.Server.
The following are the information blocks from the AquaSec Scanner reported in the UI:
from azure-functions-dotnet-worker.
kshyju
commented on July 21, 2024
Tagging @mattchenderson for further help on next steps here.
from azure-functions-dotnet-worker.
TroyFridley
commented on July 21, 2024
Any progress on this issue or plans on doing anything with it?
from azure-functions-dotnet-worker.
jviau
commented on July 21, 2024
@JamesNK could you comment on this CVE that reportedly comes from gRPC packages? Nuget does not have any vulnerability reported for those package versions. Does this CVE not apply here? Was it an oversight to not flag those nuget packages as vulnerable?
from azure-functions-dotnet-worker.
seancostigan
commented on July 21, 2024
I got a notification about this issue being marked as stale and needing a response to keep it from being closed. So responding here, but I think @jviau captured the open question in the response above.
from azure-functions-dotnet-worker.
seancostigan
commented on July 21, 2024
@JamesNK Thank you for confirming that there is no issue with these packages. I have relayed the information to my Product Security team and they are going to work with AquaSec to identify this as a false positive.
from azure-functions-dotnet-worker.
fabiocav
commented on July 21, 2024
Closing this as resolved/no action.
from azure-functions-dotnet-worker.
Related Issues (20)
- [Throughput Testing] .NET 8 in-proc Windows apps HOT 3
- Graceful shutdown of a QueueTrigger function via observing the CancellationToken HOT 2
- HTTP body conversion will throw an InvalidOperationException when the request have an empty body
- [1ES] Investigate dotnet-host.public pipeline windows artifact build issue
- [1ES] Remove `_manifest` folder from FunctionsNetHost nuget payload
- CORS error in Azure Func with Linux Flex Consumption HOT 6
- Inheriting FunctionAttribute not supported? HOT 4
- Error: 'Having multiple overloads of method 'Configure' is not supported.' after upgrading .NET 6.0 to .NET 8.0 using Upgrade Assistant HOT 1
- HttpTrigger GET parameters not mapped to custom class in .NET 8 and isolated HOT 1
- .NET 8 Isolated Logging to Application Insights I can't change LogLevel from Azure Environment Variables
- .NET 8 Isolated function do not startup on Azure environment HOT 2
- Is it possible to disable automatic abandoning of service bus messages? HOT 4
- Kafka Trigger Avro Deserialization for isolated model
- Replacement for ILifeCycleNotificationHelper in Isolated Worker Process
- IFunctionBindingsFeature is internal and pevent unit testing in middleware
- ExtensionStartupRunnerGenerator generating code which conflicts with customer code (namespace)
- Update to Microsoft.Azure.Functions.Worker.Core version 1.18 breaks Open Telemetry Tracing for .net8 isolated function
- Azure function with QueueTrigger fails to pass whitesource scan (Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability)) HOT 2
- CosmosDBInput returning 500 instead of 404 when item does not exist
- ServiceBusOutput does not support byte[] as claimed HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-functions-dotnet-worker.