Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Halibut #700

Merged
merged 2 commits into from
Nov 29, 2023
Merged

Update Halibut #700

merged 2 commits into from
Nov 29, 2023

Conversation

acodrington
Copy link
Contributor

@acodrington acodrington commented Nov 28, 2023

Update Halibut to 7.0.285 in order to get fixes for CVE-2021-24112 (as introduced in OctopusDeploy/Halibut#554)

As an added bonus, I pulled up a dependency from Octopus.Tentacle into the automated test projects where it is actually needed.

Background

There is a CVE lodged against the version of System.Drawing.Common being referenced.

Results

Fixes #689
(The other part of the fix is in #694 which has already been merged)

The main result is that there is no remaining production Tentacle code that depends on System.Drawing.Common, implicitly or explicitly.

The _build project still holds an implicit dependency via Nuke.

Octopus.Tentacle had a dependency on System.DirectoryServices.AccountManagement even though there was no code that depended on it. The only indirect usage was in the two instances of TestUserPrincipal (one in Octopus.Tentacle.Tests, the other in Octopus.Tentacle.Tests.Integration), so the dependency has been added to those test projects instead.

Keen eyes may notice that the version of System.DirectoryServices.AccountManagement has also changed, now downgraded from 8.0.0 to 4.5.0. The upgrade from v4.5 -> v8 was done recently as part of this PR, but due to implicit dependencies and the continued need to support .NET Framework 4.8, it caused the following warning to be raised:

3>Microsoft.Common.CurrentVersion.targets(2302,5): Warning MSB3277 : Found conflicts between different versions of "System.Security.Permissions" that could not be resolved.
There was a conflict between "System.Security.Permissions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51" and "System.Security.Permissions, Version=8.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51".
    "System.Security.Permissions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51" was chosen because it was primary and "System.Security.Permissions, Version=8.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51" was not.
    References which depend on "System.Security.Permissions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51" [C:\Users\AdrianCodrington\.nuget\packages\system.security.permissions\4.4.0\ref\netstandard2.0\System.Security.Permissions.dll].
        C:\Users\AdrianCodrington\.nuget\packages\system.security.permissions\4.4.0\ref\netstandard2.0\System.Security.Permissions.dll
          Project file item includes which caused reference "C:\Users\AdrianCodrington\.nuget\packages\system.security.permissions\4.4.0\ref\netstandard2.0\System.Security.Permissions.dll".
            C:\Users\AdrianCodrington\.nuget\packages\system.security.permissions\4.4.0\ref\netstandard2.0\System.Security.Permissions.dll
    References which depend on "System.Security.Permissions, Version=8.0.0.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51" [].
        C:\Users\AdrianCodrington\.nuget\packages\system.directoryservices\8.0.0\lib\net6.0\System.DirectoryServices.dll
          Project file item includes which caused reference "C:\Users\AdrianCodrington\.nuget\packages\system.directoryservices\8.0.0\lib\net6.0\System.DirectoryServices.dll".
            C:\Users\AdrianCodrington\.nuget\packages\system.directoryservices\8.0.0\lib\net6.0\System.DirectoryServices.dll
        C:\Users\AdrianCodrington\.nuget\packages\taskscheduler\2.7.2\lib\netstandard2.0\Microsoft.Win32.TaskScheduler.dll
          Project file item includes which caused reference "C:\Users\AdrianCodrington\.nuget\packages\taskscheduler\2.7.2\lib\netstandard2.0\Microsoft.Win32.TaskScheduler.dll".
            C:\Users\AdrianCodrington\.nuget\packages\taskscheduler\2.7.2\lib\netstandard2.0\Microsoft.Win32.TaskScheduler.dll
            C:\dev\OctopusTentacle\source\Octopus.Tentacle\bin\net6.0\Tentacle.dll
        C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.Configuration.dll
          Project file item includes which caused reference "C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.Configuration.dll".
            C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref/net6.0/System.Configuration.dll
        C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.Data.dll
          Project file item includes which caused reference "C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.Data.dll".
            C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref/net6.0/System.Data.dll
        C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.Drawing.dll
          Project file item includes which caused reference "C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.Drawing.dll".
            C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref/net6.0/System.Drawing.dll
        C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.Net.dll
          Project file item includes which caused reference "C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.Net.dll".
            C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref/net6.0/System.Net.dll
        C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.Security.dll
          Project file item includes which caused reference "C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.Security.dll".
            C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref/net6.0/System.Security.dll
        C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.ServiceProcess.dll
          Project file item includes which caused reference "C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.ServiceProcess.dll".
            C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref/net6.0/System.ServiceProcess.dll
        C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.Transactions.dll
          Project file item includes which caused reference "C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.Transactions.dll".
            C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref/net6.0/System.Transactions.dll
        C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.dll
          Project file item includes which caused reference "C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\System.dll".
            C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref/net6.0/System.dll
        C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\WindowsBase.dll
          Project file item includes which caused reference "C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\WindowsBase.dll".
            C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref/net6.0/WindowsBase.dll
        C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\mscorlib.dll
          Project file item includes which caused reference "C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref\net6.0\mscorlib.dll".
            C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\6.0.25\ref/net6.0/mscorlib.dll
            C:\Users\AdrianCodrington\.nuget\packages\microsoft.codecoverage\17.3.2\lib\netcoreapp1.0\Microsoft.VisualStudio.CodeCoverage.Shim.dll
            C:\Users\AdrianCodrington\.nuget\packages\octopus.client\14.3.980\lib\netstandard2.0\Octopus.Client.dll
            C:\dev\OctopusTentacle\source\Octopus.Tentacle\bin\net6.0\Tentacle.dll

As there was no reason other than the CVE to upgrade this assembly, I reverted this upgrade to avoid unnecessary warnings and potential conflicts.

Before

20231128-155453_rider64_BCfi7wTcJo

After

20231128-154102_rider64_NC5tzdQ64Q

How to review this PR

Quality ✔️

Pre-requisites

  • I have read How we use GitHub Issues for help deciding when and where it's appropriate to make an issue.
  • I have considered informing or consulting the right people, according to the ownership map.
  • I have considered appropriate testing for my change.

@acodrington acodrington requested a review from a team as a code owner November 28, 2023 07:55
@acodrington
Copy link
Contributor Author

[sc-65659]

Copy link

Copy link
Contributor

@evolutionise evolutionise left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy for this to go out now.

I have one question out of curiosity though - in your description you say you updated the two service management libraries to 5, but they're actually 4.x. Was there a reason to move it down from 5?

@@ -28,7 +28,7 @@
</Otherwise>
</Choose>
<ItemGroup>
<PackageReference Include="Halibut" Version="7.0.209" />
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we also need to update the corresponding version in Server? I assume it's not required but possibly a nice tidy-up to do.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great point! I didn't think of Server but yes, I'd say we should remove the potential vulnerability there too by upgrading. I'll take care of that.

@acodrington
Copy link
Contributor Author

acodrington commented Nov 29, 2023

I have one question out of curiosity though - in your description you say you updated the two service management libraries to 5, but they're actually 4.x. Was there a reason to move it down from 5?

Typo 🤦🏻

One of the other upgraded dependencies from the other PR was 5 -> 8, and I got them mixed up. I've now double checked and the code is fine, so I've updated the description.

@acodrington acodrington merged commit 5a4fa6d into main Nov 29, 2023
40 checks passed
@acodrington acodrington deleted the sast/system-drawing-cve branch November 29, 2023 00:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Upgrade all usages of System.Drawing.Common in Tentacle
2 participants