Replies: 4 comments 2 replies
-
|
WebJobs.Extensions.DurableTask targets .NET Framework 4.6, .NET Standard 2.0, and .NET Core 3.1. We don't plan on adding a .NET 6 target at this point in time since it's not required (.NET 6 function apps on v4 will use the .NET Core 3.1 target). What tool are you using to list these vulnerabilities? Generally speaking, dependencies such as Microsoft.AspNetCore.Http are overwritten by the version used by the Functions host, so your running apps should not be vulnerable. |
Beta Was this translation helpful? Give feedback.
-
|
It is Nexus IQ in our pipeline that is showing these warnings. We started only recently having these warnings, so I went to investigate how so that we are using these libraries. I found out it is a transitive dependency, pointing to our durable functions package. I will check if I can suppress these warnings or set binding redirects to see if it can help. Thanks |
Beta Was this translation helpful? Give feedback.
-
|
@cgillum I have tried in every way to push the WebJobs.Extensions.DurableTask to use the .net 6 libraries. Unfortunately, targeting runtime is not a transitive dependency so it can not be updated and linked directly in the project. Besides .net31, have you considered to also target .net6? |
Beta Was this translation helpful? Give feedback.
-
|
@mmajcica if your concern is about a CVE, can you open an issue in this repo with the details? That will be easier for tracking. Targeting .NET 6 would increase the package size quite a bit, and it's already fairly large. The team will probably first want to explore a more targeted fix for any CVE concerns. |
Beta Was this translation helpful? Give feedback.
-
|
@cgillum May I ask what the reason was from removing .NET 6 target and adding .NET Core 3.1 target in v2.7.1? So far I think it was because |
Beta Was this translation helpful? Give feedback.
-
|
The netcoreapp3.1 target was used instead of net60 because Azure Functions extension bundles don’t support net60, and extension bundles are how we’re able to support non-.NET languages while also supporting more modern dependencies, like gRPC. |
Beta Was this translation helpful? Give feedback.
-
Are there any plans in moving the durable function project to .net 6?
Currently, the project uses some libraries that are flagged as having vulnerabilities, like:
Policy(Security-Medium-7) [
Component(displayName=Microsoft Corporation./Microsoft ASP.NET Core Microsoft.AspNetCore.Http.dll 2.2.2.19024, hash=0f2b4ccbbeb15b82c06e) [
Constraint(Security threat level 7) [Security Vulnerability Severity >= 7 because: Found security vulnerability CVE-2020-1045 with severity >= 7 (severity = 7.5), on condition 0, Security Vulnerability Status is not NOT_APPLICABLE because: Found security vulnerability CVE-2020-1045 with status 'Open', not 'Not Applicable', on condition 0, Security Vulnerability Severity < 8 because: Found security vulnerability CVE-2020-1045 with severity < 8 (severity = 7.5), on condition 0] ]]
Our functions are targeting v4 and .net 6, durable functions are the only dependency still on .net 3.1.
Beta Was this translation helpful? Give feedback.
All reactions