Fix component detection alert for microsoft.owin package #4841
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
erdembayar
commented
Oct 4, 2022
| @@ -654,12 +654,12 @@ function Test-InstallPackageAPIInstalledLowerVersionPackage | |||
| $p = New-ClassLibrary | |||
|
|
|||
| # Act | |||
| [API.Test.InternalAPITestHook]::InstallPackageApi("microsoft.owin","2.0.0") | |||
| [API.Test.InternalAPITestHook]::InstallPackageApi("microsoft.owin","3.0.0") | |||
| [API.Test.InternalAPITestHook]::InstallPackageApi("nuget.librarymodel","6.2.0") | |||
There was a problem hiding this comment.
We can't use microsoft.owin package any, because all versions except last 4.2.2 version has vulnerabilities. but we need 2 versions for this test. So, I replaced the package with something doesn't have any vulnerabilities.
heng-liu
approved these changes
Oct 5, 2022
jeffkl
approved these changes
Oct 5, 2022
Number of End2nd tests stays the same. |
erdembayar
added a commit
that referenced
this pull request
Oct 5, 2022
* Remove package for Microsoft.Owin in End2end test
8 tasks
erdembayar
added a commit
that referenced
this pull request
Oct 6, 2022
AdmiringWorm
added a commit
to chocolatey/NuGet.Client
that referenced
this pull request
Dec 19, 2022
Insert 6.4.0-rc.123 into rel/d17.4 on 11/07/2022 23:47:12 * tag '6.4.0.123': (60 commits) fix a logic error that caused AbandonedMutexException while executing migrations (release-6.4.x) (NuGet#4895) unblock source build failing due to fatal: transport 'file' not allowed error (NuGet#4867) (NuGet#4874) Signing: update to August 2022 CTL (NuGet#4791) (NuGet#4850) Merged PR 422933: Prefer BCL Directory create API over helper class (7.0.1xx-rc2) Fix empty combobox when package is not present in project file (NuGet#4844) (NuGet#4848) Fix component detection alert for microsoft.owin package (NuGet#4841) (NuGet#4845) Make release label RC, move to escrow mode Adds special case to include transitive origins in GetInstalledAndTransitivePackagesAsync API (NuGet#4824) Add longPathAware manifest to NuGet.Build.Tasks.Console (NuGet#4830) VsPackageInstallerServices should not post ProjectNotNominatedException faults (NuGet#4814) Skip test GetOrCreateAsync_WithUnhandledExceptionInPlugin_Throws (NuGet#4831) Improve OptProf pipeline job run names (NuGet#4825) Increase HttpClientHandler.MaxConnectionsPerServer to 64 to improve PM UI performance in Visual Studio (NuGet#4798) Suppress CA2213 warnings to unblock dev branch (NuGet#4823) Ensure IsVsOfflineFeed is calculated correctly on 64-bit machines (NuGet#4817) Add better handling of AggregateExceptions in static graph-based restore (NuGet#4809) Add Component Detection task into each pipeline (NuGet#4813) Localizes nuget.exe with default, embedded resource assembly lookup (NuGet#4773) Removes BrowseObjectBase class in NuGet Solution Explorer (NuGet#4807) Improve TryCreateContext (NuGet#4762) ...
nkolev92
pushed a commit
that referenced
this pull request
Sep 29, 2023
* Remove package for Microsoft.Owin in End2end test
nkolev92
pushed a commit
that referenced
this pull request
Sep 29, 2023
* Remove package for Microsoft.Owin in End2end test
nkolev92
pushed a commit
that referenced
this pull request
Sep 29, 2023
* Remove package for Microsoft.Owin in End2end test
nkolev92
added a commit
that referenced
this pull request
Oct 2, 2023
* Update dependencies in E2E tests (#4767) * Fix component detection alert for microsoft.owin package (#4841) * Remove package for Microsoft.Owin in End2end test * Address component detection failure newtonsoft.json 4.0.1 (#4934) * remove unused Moq package from E2E test (#5358) --------- Co-authored-by: Heng Liu <[email protected]> Co-authored-by: Erick Yondon <[email protected]> Co-authored-by: Martin Ruiz <[email protected]>
nkolev92
added a commit
that referenced
this pull request
Oct 2, 2023
* Update dependencies in E2E tests (#4767) * Fix component detection alert for microsoft.owin package (#4841) * Remove package for Microsoft.Owin in End2end test * Address component detection failure newtonsoft.json 4.0.1 (#4934) * remove unused Moq package from E2E test (#5358) * Use net6.0-windows --------- Co-authored-by: Heng Liu <[email protected]> Co-authored-by: Erick Yondon <[email protected]> Co-authored-by: Martin Ruiz <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bug
Fixes: https://github.com/NuGet/Client.Engineering/issues/1890
Regression? Last working version:
Description
Currently 4 security alerts (for
microsoft.owinpackages) from component detection task blocking official CI pipeline. This PR is for replacing vulnerable microsoft.own package version with latest one.I removed
WebApplication45WebSite.ziptemplate for End2end tests because it has many references to vulnerable version of Microsoft.Owin, by removing it we prevent from accidental usage of that template in the future.PR Checklist
PR has a meaningful title
PR has a linked issue.
Described changes
Tests
Documentation