Skip to content

Commit 796f1b7

Browse files
Krishna-Chaitanya4Krishna-Chaitanya4
authored
fix: pin vulnerable transitive dependencies and upgrade .NET runtime to 8.0.24 (#2727)
1 parent 3a63d35 commit 796f1b7

File tree

21 files changed

+97
-47
lines changed

21 files changed

+97
-47
lines changed

build/azure-devops/variables/build.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
11
variables:
2-
DotNet.Sdk.Version: '8.0.415'
2+
DotNet.Sdk.Version: '8.0.418'
33
DotNet.Configuration: 'release'

src/Promitor.Agents.Core/Promitor.Agents.Core.csproj

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
1-
<Project Sdk="Microsoft.NET.Sdk">
1+
<Project Sdk="Microsoft.NET.Sdk">
22

33
<PropertyGroup>
44
<TargetFramework>net8.0</TargetFramework>
5-
<RuntimeFrameworkVersion>8.0.21</RuntimeFrameworkVersion>
5+
<RuntimeFrameworkVersion>8.0.24</RuntimeFrameworkVersion>
66
</PropertyGroup>
77

88
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
@@ -33,6 +33,10 @@
3333
<PackageReference Include="Swashbuckle.AspNetCore.Annotations" Version="9.0.3" />
3434
<PackageReference Include="Swashbuckle.AspNetCore.Filters" Version="9.0.0" />
3535
<PackageReference Include="Humanizer" Version="2.14.1" />
36+
37+
<!-- Explicitly pin transitive dependencies to mitigate security vulnerabilities -->
38+
<PackageReference Include="System.Drawing.Common" Version="10.0.3" />
39+
<PackageReference Include="System.Security.Cryptography.Xml" Version="10.0.3" />
3640
</ItemGroup>
3741

3842
<ItemGroup>

src/Promitor.Agents.ResourceDiscovery/Dockerfile.linux

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ RUN dotnet publish Promitor.Agents.ResourceDiscovery/Promitor.Agents.ResourceDis
2121
--arch $TARGETARCH \
2222
/p:Version=$VERSION
2323

24-
FROM mcr.microsoft.com/dotnet/aspnet:8.0.21-cbl-mariner2.0-distroless AS runtime-base
24+
FROM mcr.microsoft.com/dotnet/aspnet:8.0.24-cbl-mariner2.0-distroless AS runtime-base
2525

2626
FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 AS installer
2727
RUN tdnf install -y fdupes \

src/Promitor.Agents.ResourceDiscovery/Promitor.Agents.ResourceDiscovery.csproj

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
1-
<Project Sdk="Microsoft.NET.Sdk.Web">
1+
<Project Sdk="Microsoft.NET.Sdk.Web">
22

33
<PropertyGroup>
44
<TargetFramework>net8.0</TargetFramework>
55
<DockerComposeProjectPath>..\docker-compose.dcproj</DockerComposeProjectPath>
6-
<RuntimeFrameworkVersion>8.0.21</RuntimeFrameworkVersion>
6+
<RuntimeFrameworkVersion>8.0.24</RuntimeFrameworkVersion>
77
<GenerateDocumentationFile>true</GenerateDocumentationFile>
88
<DocumentationFile>Docs\Open-Api.xml</DocumentationFile>
99
<UserSecretsId>159d036b-3697-40d4-bdc4-7d9736521375</UserSecretsId>
@@ -42,9 +42,9 @@
4242
<PackageReference Include="Polly" Version="8.6.4" />
4343

4444
<!-- Explicitly pin dependencies on container project to mitigate security vulnerabilities -->
45-
<PackageReference Include="System.Drawing.Common" Version="9.0.10" />
46-
<PackageReference Include="System.Security.Cryptography.Pkcs" Version="9.0.10" />
47-
<PackageReference Include="System.Security.Cryptography.Xml" Version="9.0.10" />
45+
<PackageReference Include="System.Drawing.Common" Version="10.0.3" />
46+
<PackageReference Include="System.Security.Cryptography.Pkcs" Version="10.0.3" />
47+
<PackageReference Include="System.Security.Cryptography.Xml" Version="10.0.3" />
4848
<PackageReference Include="System.Text.RegularExpressions" Version="4.3.1" />
4949
</ItemGroup>
5050

src/Promitor.Agents.Scraper/Dockerfile.linux

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ RUN dotnet publish Promitor.Agents.Scraper/Promitor.Agents.Scraper.csproj \
2525
--arch $TARGETARCH \
2626
/p:Version=$VERSION
2727

28-
FROM mcr.microsoft.com/dotnet/aspnet:8.0.21-cbl-mariner2.0-distroless AS runtime-base
28+
FROM mcr.microsoft.com/dotnet/aspnet:8.0.24-cbl-mariner2.0-distroless AS runtime-base
2929

3030
FROM mcr.microsoft.com/cbl-mariner/base/core:2.0 AS installer
3131
RUN tdnf install -y fdupes \

src/Promitor.Agents.Scraper/Promitor.Agents.Scraper.csproj

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
1-
<Project Sdk="Microsoft.NET.Sdk.Web">
1+
<Project Sdk="Microsoft.NET.Sdk.Web">
22

33
<PropertyGroup>
44
<TargetFramework>net8.0</TargetFramework>
55
<DockerComposeProjectPath>..\docker-compose.dcproj</DockerComposeProjectPath>
6-
<RuntimeFrameworkVersion>8.0.21</RuntimeFrameworkVersion>
6+
<RuntimeFrameworkVersion>8.0.24</RuntimeFrameworkVersion>
77
<!--<DockerDefaultTargetOS>Windows</DockerDefaultTargetOS>-->
88
</PropertyGroup>
99

@@ -44,9 +44,9 @@
4444
<PackageReference Include="YamlDotNet" Version="15.1.6" />
4545

4646
<!-- Explicitly pin dependencies on container project to mitigate security vulnerabilities -->
47-
<PackageReference Include="System.Drawing.Common" Version="9.0.10" />
48-
<PackageReference Include="System.Security.Cryptography.Pkcs" Version="9.0.10" />
49-
<PackageReference Include="System.Security.Cryptography.Xml" Version="9.0.10" />
47+
<PackageReference Include="System.Drawing.Common" Version="10.0.3" />
48+
<PackageReference Include="System.Security.Cryptography.Pkcs" Version="10.0.3" />
49+
<PackageReference Include="System.Security.Cryptography.Xml" Version="10.0.3" />
5050
</ItemGroup>
5151

5252
<ItemGroup>

src/Promitor.Core.Contracts/Promitor.Core.Contracts.csproj

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
1-
<Project Sdk="Microsoft.NET.Sdk">
1+
<Project Sdk="Microsoft.NET.Sdk">
22

33
<PropertyGroup>
44
<TargetFramework>net8.0</TargetFramework>
5-
<RuntimeFrameworkVersion>8.0.21</RuntimeFrameworkVersion>
5+
<RuntimeFrameworkVersion>8.0.24</RuntimeFrameworkVersion>
66
</PropertyGroup>
77

88
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
@@ -14,7 +14,8 @@
1414
</PropertyGroup>
1515

1616
<ItemGroup>
17-
<PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
17+
<!-- Explicitly pin transitive dependency to mitigate security vulnerability -->
18+
<PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
1819
</ItemGroup>
1920

2021
</Project>

src/Promitor.Core.Scraping/Promitor.Core.Scraping.csproj

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
1-
<Project Sdk="Microsoft.NET.Sdk">
1+
<Project Sdk="Microsoft.NET.Sdk">
22

33
<PropertyGroup>
44
<TargetFramework>net8.0</TargetFramework>
5-
<RuntimeFrameworkVersion>8.0.21</RuntimeFrameworkVersion>
5+
<RuntimeFrameworkVersion>8.0.24</RuntimeFrameworkVersion>
66
<LangVersion>8</LangVersion>
77
</PropertyGroup>
88

@@ -22,6 +22,10 @@
2222
<PackageReference Include="Microsoft.ApplicationInsights" Version="2.23.0" />
2323
<PackageReference Include="Microsoft.Azure.Management.Fluent" Version="1.38.1" />
2424
<PackageReference Include="YamlDotNet" Version="15.1.6" />
25+
26+
<!-- Explicitly pin transitive dependencies to mitigate security vulnerabilities -->
27+
<PackageReference Include="System.Drawing.Common" Version="10.0.3" />
28+
<PackageReference Include="System.Security.Cryptography.Xml" Version="10.0.3" />
2529
</ItemGroup>
2630

2731
<ItemGroup>

src/Promitor.Core.Telemetry/Promitor.Core.Telemetry.csproj

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
1-
<Project Sdk="Microsoft.NET.Sdk">
1+
<Project Sdk="Microsoft.NET.Sdk">
22

33
<PropertyGroup>
44
<TargetFramework>net8.0</TargetFramework>
5-
<RuntimeFrameworkVersion>8.0.21</RuntimeFrameworkVersion>
5+
<RuntimeFrameworkVersion>8.0.24</RuntimeFrameworkVersion>
66
</PropertyGroup>
77

88
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
@@ -17,6 +17,9 @@
1717
<PackageReference Include="Microsoft.ApplicationInsights" Version="2.23.0" />
1818
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="9.0.10" />
1919
<PackageReference Include="Microsoft.Extensions.Logging.Console" Version="9.0.10" />
20+
21+
<!-- Explicitly pin transitive dependency to mitigate security vulnerability -->
22+
<PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
2023
</ItemGroup>
2124

2225
<ItemGroup>

src/Promitor.Core/Promitor.Core.csproj

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
1-
<Project Sdk="Microsoft.NET.Sdk">
1+
<Project Sdk="Microsoft.NET.Sdk">
22

33
<PropertyGroup>
44
<TargetFramework>net8.0</TargetFramework>
5-
<RuntimeFrameworkVersion>8.0.21</RuntimeFrameworkVersion>
5+
<RuntimeFrameworkVersion>8.0.24</RuntimeFrameworkVersion>
66
</PropertyGroup>
77

88
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
@@ -23,6 +23,9 @@
2323
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="9.0.10" />
2424
<PackageReference Include="Microsoft.Extensions.Logging.Console" Version="9.0.10" />
2525
<PackageReference Include="YamlDotNet" Version="15.1.6" />
26+
27+
<!-- Explicitly pin transitive dependency to mitigate security vulnerability -->
28+
<PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
2629
</ItemGroup>
2730

2831
</Project>

0 commit comments

Comments
 (0)