[英]How to address (suspected) outdated external package dependencies?
We have a.Net Core 6.0 solution and two of the projects have NuGet package references set to Azure.Storage.Blobs 12.14.1
(the latest version at the time of writing):我们有一个 .Net Core 6.0 解决方案,其中两个项目将 NuGet package 引用设置为Azure.Storage.Blobs 12.14.1
(撰写本文时的最新版本):
<ItemGroup>
<PackageReference Include="Azure.Storage.Blobs" Version="12.14.1" />
</ItemGroup>
Today a new security scanning tool that IT are testing flagged up a "critical" issue:今天,IT 正在测试的一种新的安全扫描工具标记了一个“关键”问题:
System.Text.Encodings.Web Remote Code Execution (RCE) CVE-2021-26701 CVSS 9.8 Critical System.Text.Encodings.Web 远程代码执行 (RCE) CVE-2021-26701 CVSS 9.8 严重
Introduced through: project › Azure.Storage.Blobs 12.14.1 › System.Text.Json 4.7.2 › System.Text.Encodings.Web 4.7.1
I looked at the nuget.org page for Azure.Storage.Blobs
and it shows System.Text.Json (>= 4.7.2)
which implied to me (perhaps wrongly) that Blobs should work just fine with later versions of Encodings.Web:我查看了nuget.org 页面中的Azure.Storage.Blobs
,它显示了System.Text.Json (>= 4.7.2)
,这暗示我(可能是错误的)Blob 应该可以与更高版本的 Encodings.Web 一起工作:
I'm only referencing Azure.Storage.Blobs
, so does this mean that Azure.Storage.Blobs
itself is referencing an out-of-date package?我只引用Azure.Storage.Blobs
,这是否意味着Azure.Storage.Blobs
本身引用了一个过时的 package?
I'm keen to avoid creating my own dependency on the nested packages when they're not directly used.当不直接使用嵌套包时,我很想避免创建自己对嵌套包的依赖。 My research showed that NPM has a way around these issues, but I've been unable to find a NuGet-based solution.我的研究表明 NPM 可以解决这些问题,但我一直无法找到基于 NuGet 的解决方案。
Can anyone please explain what the solution is to ensure that my dependencies are kept secure here?谁能解释一下确保我的依赖关系在这里保持安全的解决方案是什么?
Central package management offers a feature called transitive pinning to manage (the versions of) transitive/indirect dependencies, without making them direct dependencies. 中央 package 管理提供了一种称为传递固定的功能来管理传递/间接依赖项(的版本),而不是使它们成为直接依赖项。
From the documentation从文档
Starting with NuGet 6.2, you can centrally manage your dependencies in your projects with the addition of a
Directory.Packages.props
file and an MSBuild property.从 NuGet 6.2 开始,您可以通过添加Directory.Packages.props
文件和 MSBuild 属性集中管理项目中的依赖项。
You can automatically override a transitive package version even without an explicit top-level by opting into a feature known as transitive pinning.您可以通过选择一种称为传递固定的功能来自动覆盖传递 package 版本,即使没有明确的顶级版本。 This promotes a transitive dependency to a top-level dependency implicitly on your behalf when necessary.这会在必要时代表您隐式地将传递依赖提升为顶级依赖。
First enable central package management .首先启用中央 package 管理。
Add a Directory.Packages.props
file to eg the root of your repository (near your .sln
file).将Directory.Packages.props
文件添加到例如您存储库的根目录(靠近您的.sln
文件)。
Set ManagePackageVersionsCentrally
to true
.将ManagePackageVersionsCentrally
设置为true
。
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
Include any direct NuGet packages using PackageVersion
tags;使用PackageVersion
标签包含任何直接的 NuGet 包; notice the difference with PackageReference
tags.请注意与PackageReference
标签的区别。
<Project>
<PropertyGroup>
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
</PropertyGroup>
<ItemGroup>
<PackageVersion Include="Azure.Storage.Blobs" Version="12.14.1" />
</ItemGroup>
</Project>
Adjust your .csproj
file(s) by removing the version
indication from any PackageReference
tags since this will now be managed centrally, although you can still override if needed.通过从任何PackageReference
标记中删除version
指示来调整您的.csproj
文件,因为这现在将集中管理,但如果需要您仍然可以覆盖。
<Project Sdk="Microsoft.NET.Sdk">
<ItemGroup>
<PackageReference Include="Azure.Storage.Blobs" />
</ItemGroup>
</Project>
Next enable transitive pinning by setting ManagePackageVersionsCentrally
to true
.接下来通过将ManagePackageVersionsCentrally
设置为true
来启用传递固定。
Add below tag in a PropertyGroup
.在PropertyGroup
中添加以下标签。
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
Then include the concerning packages.然后包含相关包。
In your case you can eg upgrade and pin System.Text.Json
or System.Text.Encodings.Web
to a higher version, eg:在您的情况下,您可以将System.Text.Json
或System.Text.Encodings.Web
升级并固定到更高版本,例如:
<PackageVersion Include="System.Text.Json" Version="6.0.7" />
You need to figure out which version applies for your concrete case.您需要弄清楚哪个版本适用于您的具体案例。
Full Directory.Package.props
example.完整的Directory.Package.props
示例。
The transitive dependencies don't need to be in a separate ItemGroup
, but it might be more insightful.传递依赖项不需要在单独的ItemGroup
中,但它可能更有见地。
<Project>
<PropertyGroup>
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
</PropertyGroup>
<ItemGroup>
<PackageVersion Include="Azure.Storage.Blobs" Version="12.14.1" />
</ItemGroup>
<!-- Transitive packages -->
<ItemGroup>
<PackageVersion Include="System.Text.Json" Version="6.0.7" />
</ItemGroup>
</Project>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.