i am running azure pipline with Mend Bolt task to detect old libraries, and i got:
Notice for System.Text.RegularExpressions the existing version is 4.3.1 and the suggested fix is ALSO 4.3.1 but it seems it is not taken in consideration.
PS: my csproj is here
Any help please ?
Thank you in adavance
Mend has a page about this CVE-2019-0820 issue, explaining when this notice might also be a false positive.
For your situation it is a false positive
you are on .NET 6, which is higher than the mentioned vulnerable runtimes (see below) - your WebApp.proj has <TargetFramework>net6.0</TargetFramework>
you reference System.Text.RegularExpressions version 4.3.1 or even higher.
From that page:
In case the project has the CVE-2019-0820 reported then if it is actually vulnerable or not depends on the used .NET Core Runtime version.
The vulnerable .NET Core Runtime versions for this CVE are:
v1.0 branch: 1.0 - 1.0.16 (exclusive)
v1.1 branch: 1.1 - 1.1.13 (exclusive)
v2.1 branch: 2.1 - 2.1.11 (exclusive)
v2.2 branch: 2.2 - 2.2.5 (exclusive)
If the user is running a higher .NET core version than listed above while using the package version 4.3.1 then they are secured from the vulnerability and they can safely ignore the alert.
Related
My project uses .net framework 4.8. After upgrading microsoft.net.sdk.functions from version 1.0.24 to 3.0.1, the build on my local machine works fine, but there are some errors on the build on VSO pipeline:
microsoft.net.sdk.functions\3.0.1\build\microsoft.net.sdk.functions.build.targets(41,5):
It was not possible to find any compatible framework version
The specified framework 'Microsoft.NETCore.App', version '3.0.0' was
not found
microsoft.net.sdk.functions\3.0.1\build\microsoft.net.sdk.functions.build.targets(41,5):
metadata generation failed.
There is no version 3.0.0 for Microsoft.NetCore.App nuget package. Why would the error ask for that version? Also how can I fix the error?
Looking at the package on NuGet, version 3.0.1 is intended for use with .NET Core 3.0 and higher applications, not .NET Framework applications. Version 1.0.38 appears to be the latest version with .NET Framework support (4.6 and higher).
I recently updated our .net core asp.net mvc app, in the project properties, the Target Framework is ".NET Core 3.1". In the .csproj file I see:
<TargetFramework>netcoreapp3.1</TargetFramework>
At the time I built it the specific version was 3.1.3 which was listed as LTS (long term support).
If I expand the Dependencies -> then Frameworks -> right click on Microsoft.AspNetCore.App -> properties I see:
Version 3.1.3
QA tested the app and were preparing to release it.
But in the weeks that have followed, I noticed Microsoft released 3.1.4 (now listed as LTS). I'm confused on the issue of which version of .NET Core my app can run against in deployment.
Can the app run in a customer/deployment environment that has 3.1.4 installed since I never specified 3.1.3 explicitly. Or can it only run against 3.1.3 because that was the latest on my machine when I built it?
Thanks for the help, I feel stupid for not knowing this.
You misunderstood the LTS concept, https://dotnet.microsoft.com/platform/support/policy/dotnet-core
The only key point is that "Customers choosing LTS will need the latest patch update installed to qualify for support". You can use whatever patch version (3.1.x) till you need to upgrade to the latest when receiving support services from Microsoft. You should try to upgrade often to the latest patch version though, as it ships security updates.
Different deployment approaches (framework dependent or self-contained) also have impact on how you upgrade for yourself or your customers, but that's rather lengthy to discuss. You'd better set up a few experiments in a lab environment to explore further.
I am upgrading an application from Visual Studio 2013 Net 4.5.1 to Visual Studio 2015 C#6 Net 4.6, and I would like to make use of the System.Numerics.Vectors Vector< T >. I have been using Vector4 already to get SIMD which works fine in my app, I would like to get Vector< T > support though and make full use of the larger AVX/AVX2 SIMD Registers.
The development system has Net 4.5, 4.51, 4.52, 4.6, 4.61 and 4.62 Multi-Target Packs and SDKs installed.
The project properties Target Framework is 4.6. I also tried 4.61.
The project references include both System.Numerics (4.6.81.0) and System.Numerics.Vectors (4.6.81.0).
But all that I get in the System.Numerics namespace is the BigInteger, Complex, Matrix3x2/4x4, Plane, Quaternion, Vector2/3/4.
I do not get Vector< T >.
At this late stage (2019) am I still supposed to install the old NuGet Preview packages to still get the Vector< T >? Is Vector< T > not by now a part of the current .Net 4.6 and 4.61 public releases?
And if I do have to use the old NuGet, is the NuGet package just the relevant information for VS and the JIT, or does that mean that I have to distribute another DLL even though System.Numerics.Vectors is already on the system...
I must be stupid...
Vector<T> is only in the .Net 2.1 standard preview, no it's not part of .Net Framework.
Applies to
.NET Core: 3.0 Preview 3 2.2 2.1 2.0 1.1 1.0
.NET Standard: 2.1 Preview
UWP: 10.0
Xamarin.Android: 7.1
Xamarin.iOS: 10.8
Xamarin.Mac: 3.0
Yes you will have to include the nuget, which will have its own Assembly
is the NuGet package just the relevant information for VS and the JIT
As far as I know there is no compiler magic and Vector<T>, it's just a vanilla struct, so what you are including are the definitions of this structure, this is all.
I am attempting to upgrade to my project from 2.0 to .Net Core 2.1.
I am using the following link as guide though it was for preview:
Upgrading to .NET 2.1
I am currently aware that the Microsoft.Extensions.SecretManager.Tools package is only at version 2.0.2 based on the nuget link: nuget package link
For more details, please see the issue I logged on the .Net Core GitHub page here
Note:
.Net Core 2.1 is installed:
All DotNetCLIReferences were removed
Questions:
Why is there no 2.1.0 version of the Microsoft.Extensions.SecretManager.Tools nuget package after an official release of .Net Core 2.1.0?
Is it possible to resolve this error or do I have to roleback my project to .Net Core 2.0?
You can remove most of your DotNetCliToolReference's in your csproj file in 2.1. Many of the tools such as secretmanager are now global tools which you'll have if you're running the 2.1 SDK. They no longer need to be referenced and brought into your project.
See also: https://learn.microsoft.com/en-us/aspnet/core/migration/20_21?view=aspnetcore-2.1
So I figured it out
Apparently I had referenced the Microsoft.Extensions.SecretManager.Tools package twice, as a DotNetCliReference and as a regular package reference. When I finally removed both references and the secret key information the error was resolved.
I ended up with this because the error initially was complaining that I needed to add the Microsoft.Extensions.SecretManager.Tools version greater or equal to 2.1.0, which clearly does not exist
See screenshots below:
Part 1:
Part 2:
Thanks to everyone in the comments, their comments ultimately assisted me in thinking about the error and double checking.
Our app was originally built with .net core 1.x. We would like to upgrade to .net core 2.0.
I installed the hosting bundle from here. But now I have the 1.0.0 Runtime and 2.0.5 runtime installed.
Do I need to uninstall the 1.0.0 runtime?
How can I tell which runtime my app will use?
The short answer is that you should read the documentation for .NET Core. As Scott Hanselman (PM of the ASP.NET Core team) has pointed out, multiple versions of the .NET Core runtime can be installed side by side without issue
As user Camilo Terevinto pointed out in their comment, the highest version of the runtime will be used when your app is started.
Microsoft has placed a limited life on the 1.0.0 runtime. Since 2.0.0 introduced major changes, that break applications written in 1.0.0. For a more sustainable environment, you should remove the older runtime, then ensure the latest runtime and hosted core package are installed. Those can be found on the document page.
To determine the runtime your application is utilizing, you can find that information within your project. The assembly will include the information of which framework you're actually targeting against.