Transitive Dependency Vulnerabilities #1867
Description
Describe the bug
Due to a reference from FluentMigrator, our projects are getting vulnerability warnings when restoring using dotnet restore
error NU1902: Warning As Error: Package 'Azure.Identity' 1.10.3 has a known moderate severity vulnerability, GHSA-m5vv-6r4h-3vj9
Warning As Error: Package 'Microsoft.Identity.Client' 4.56.0 has a known moderate severity vulnerability, GHSA-m5vv-6r4h-3vj9
Using the new dotnet nuget why command, these references are coming from Microsoft.Data.SqlClient, which reference Azure.Identity. Azure.Identity is referencing Microsoft.Identity.Client. FluentMigrator.Runner.SqlServer is responsible for bringing in these transitive dependencies.
The easy solution is to upgrade Microsoft.Data.SqlClient from 5.2.0 to the latest 5.2.2, which resolves the issue.
Here are their release notes
Upgraded Azure.Identity version from 1.11.3 to 1.11.4 #2648 to address CVE-2024-35255.
Upgraded Microsoft.Identity.Client version from 4.60.0 to 4.61.3 #2648 to address CVE-2024-35255.
To Reproduce
Start a new project and reference FluentMigrator.Runner.SqlServer version 5.2.0
Expected behavior
No known vulnerabilities are introduced in the project.
Information (please complete the following information):
- OS: Windows
- Platform dotnet 8
- FluentMigrator version 5.2.0
- FluentMigrator runner "in-process runner"
- Database Management System SQLServer
- Database Management System Version Any SQL Server
Additional context
[net8.0]
│
└─ FluentMigrator.Runner (v5.2.0)
└─ FluentMigrator.Runner.SqlServer (v5.2.0)
└─ Microsoft.Data.SqlClient (v5.1.4)
├─ Azure.Identity (v1.10.3)
│ ├─ Microsoft.Identity.Client (v4.56.0)
│ └─ Microsoft.Identity.Client.Extensions.Msal (v4.56.0)
│ └─ Microsoft.Identity.Client (v4.56.0)
└─ Microsoft.Identity.Client (v4.56.0)