Skip to content

Fix component detection alert for microsoft.owin package#4841

Merged
erdembayar merged 4 commits intodevfrom
dev-eryondon-fix-componentdetection-alert
Oct 5, 2022
Merged

Fix component detection alert for microsoft.owin package#4841
erdembayar merged 4 commits intodevfrom
dev-eryondon-fix-componentdetection-alert

Conversation

@erdembayar
Copy link
Contributor

@erdembayar erdembayar commented Oct 4, 2022
edited
Loading

Bug

Fixes: https://github.com/NuGet/Client.Engineering/issues/1890

Regression? Last working version:

Description

Currently 4 security alerts (for microsoft.owin packages) from component detection task blocking official CI pipeline. This PR is for replacing vulnerable microsoft.own package version with latest one.
I removed WebApplication45WebSite.zip template for End2end tests because it has many references to vulnerable version of Microsoft.Owin, by removing it we prevent from accidental usage of that template in the future.

image

PR Checklist

  • PR has a meaningful title

  • PR has a linked issue.

  • Described changes

  • Tests

    • Automated tests added
    • OR
    • Test exception
    • OR
    • N/A

  • Documentation

    • Documentation PR or issue filled
    • OR
    • N/A

erdembayar
erdembayar commented Oct 4, 2022
View reviewed changes
test/EndToEnd/tests/ServicesTest.ps1
# Act
[API.Test.InternalAPITestHook]::InstallPackageApi("microsoft.owin","2.0.0")
[API.Test.InternalAPITestHook]::InstallPackageApi("microsoft.owin","3.0.0")
[API.Test.InternalAPITestHook]::InstallPackageApi("nuget.librarymodel","6.2.0")
Copy link
Contributor Author

@erdembayar erdembayar Oct 4, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't use microsoft.owin package any, because all versions except last 4.2.2 version has vulnerabilities. but we need 2 versions for this test. So, I replaced the package with something doesn't have any vulnerabilities.

@erdembayar erdembayar marked this pull request as ready for review October 5, 2022 00:48
@erdembayar erdembayar requested a review from a team as a code owner October 5, 2022 00:48
heng-liu
heng-liu approved these changes Oct 5, 2022
View reviewed changes
Copy link
Contributor

@heng-liu heng-liu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM :)
Just have one question, after removing this template, is there any E2E test case affected? Thanks!

@erdembayar
Copy link
Contributor Author

erdembayar commented Oct 5, 2022

LGTM :) Just have one question, after removing this template, is there any E2E test case affected? Thanks!

Number of End2nd tests stays the same.
Part 1 has 185 tests after change, before it was 185 tests too.
Part 2 has 234 tests after change, before it was 234 tests too.

@erdembayar erdembayar merged commit f4e0ae1 into dev Oct 5, 2022
@erdembayar erdembayar deleted the dev-eryondon-fix-componentdetection-alert branch October 5, 2022 16:07
erdembayar added a commit that referenced this pull request Oct 5, 2022
@erdembayar
Fix component detection alert for microsoft.owin package (#4841)
830bdf2 
* Remove package for Microsoft.Owin in End2end test
@erdembayar erdembayar mentioned this pull request Oct 5, 2022
Merged
8 tasks
erdembayar added a commit that referenced this pull request Oct 6, 2022
@erdembayar
Fix component detection alert for microsoft.owin package (#4841) (#4845)
60bfacf 
* Remove package for Microsoft.Owin in End2end test
AdmiringWorm added a commit to chocolatey/NuGet.Client that referenced this pull request Dec 19, 2022
@AdmiringWorm
Merge tag '6.4.0.123' into develop
6ab0442 
Insert 6.4.0-rc.123 into rel/d17.4 on 11/07/2022 23:47:12

* tag '6.4.0.123': (60 commits)
  fix a logic error that caused AbandonedMutexException while executing migrations (release-6.4.x) (NuGet#4895)
  unblock source build failing due to fatal: transport 'file' not allowed error (NuGet#4867) (NuGet#4874)
  Signing:  update to August 2022 CTL (NuGet#4791) (NuGet#4850)
  Merged PR 422933: Prefer BCL Directory create API over helper class (7.0.1xx-rc2)
  Fix empty combobox when package is not present in project file (NuGet#4844) (NuGet#4848)
  Fix component detection alert for microsoft.owin package (NuGet#4841) (NuGet#4845)
  Make release label RC, move to escrow mode
  Adds special case to include transitive origins in GetInstalledAndTransitivePackagesAsync API (NuGet#4824)
  Add longPathAware manifest to NuGet.Build.Tasks.Console (NuGet#4830)
  VsPackageInstallerServices should not post ProjectNotNominatedException faults (NuGet#4814)
  Skip test GetOrCreateAsync_WithUnhandledExceptionInPlugin_Throws (NuGet#4831)
  Improve OptProf pipeline job run names (NuGet#4825)
  Increase HttpClientHandler.MaxConnectionsPerServer to 64 to improve PM UI performance in Visual Studio (NuGet#4798)
  Suppress CA2213 warnings to unblock dev branch (NuGet#4823)
  Ensure IsVsOfflineFeed is calculated correctly on 64-bit machines (NuGet#4817)
  Add better handling of AggregateExceptions in static graph-based restore (NuGet#4809)
  Add Component Detection task into each pipeline (NuGet#4813)
  Localizes nuget.exe with default, embedded resource assembly lookup (NuGet#4773)
  Removes BrowseObjectBase class in NuGet Solution Explorer (NuGet#4807)
  Improve TryCreateContext  (NuGet#4762)
  ...
nkolev92 pushed a commit that referenced this pull request Sep 29, 2023
@erdembayar @nkolev92
Fix component detection alert for microsoft.owin package (#4841)
05528b6 
* Remove package for Microsoft.Owin in End2end test
nkolev92 pushed a commit that referenced this pull request Sep 29, 2023
@erdembayar @nkolev92
Fix component detection alert for microsoft.owin package (#4841)
e54bd48 
* Remove package for Microsoft.Owin in End2end test
nkolev92 pushed a commit that referenced this pull request Sep 29, 2023
@erdembayar @nkolev92
Fix component detection alert for microsoft.owin package (#4841)
1b7fc29 
* Remove package for Microsoft.Owin in End2end test
nkolev92 added a commit that referenced this pull request Oct 2, 2023
@nkolev92 @heng-liu
@erdembayar @martinrrm
Remove packages with CG alerts from E2E tests in 6.0.x (#5437)
173fada 
* Update dependencies in E2E tests (#4767)

* Fix component detection alert for microsoft.owin package (#4841)

* Remove package for Microsoft.Owin in End2end test

* Address component detection failure newtonsoft.json 4.0.1 (#4934)

* remove unused Moq package from E2E test (#5358)

---------

Co-authored-by: Heng Liu <45407901+heng-liu@users.noreply.github.com>
Co-authored-by: Erick Yondon <eryondon@microsoft.com>
Co-authored-by: Martin Ruiz <martin.ruiz.mares@gmail.com>
nkolev92 added a commit that referenced this pull request Oct 2, 2023
@nkolev92 @heng-liu
@erdembayar @martinrrm
Remove packages with CG alerts from E2E tests in 6.2.x (#5439)
7bdeedf 
* Update dependencies in E2E tests (#4767)

* Fix component detection alert for microsoft.owin package (#4841)

* Remove package for Microsoft.Owin in End2end test

* Address component detection failure newtonsoft.json 4.0.1 (#4934)

* remove unused Moq package from E2E test (#5358)

* Use net6.0-windows

---------

Co-authored-by: Heng Liu <45407901+heng-liu@users.noreply.github.com>
Co-authored-by: Erick Yondon <eryondon@microsoft.com>
Co-authored-by: Martin Ruiz <martin.ruiz.mares@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeffkl jeffkl jeffkl approved these changes

+1 more reviewer

@heng-liu heng-liu heng-liu approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erdembayar @jeffkl @heng-liu