Fix vulnerability found in Microsoft.AspNetCore dependency

[APIWT]

Is your feature request related to a problem? Please describe.
Our application is scanned with Snyk, and the results of the scan have this popping up:

✗ High severity vulnerability found in Microsoft.AspNetCore
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORE-174184
  Introduced through: [email protected]
  From: [email protected] > [email protected]

Describe the solution you'd like
My guess is that it would be possible to get rid of the dependency on Microsoft.AspNetCore for projects targeting netcoreapp3.1 (though honestly this isn't my area of expertise.

Describe alternatives you've considered
I could likely suppress this warning since we only use WireMock.Net in our test projects, but I don't know if I can get our customer to buy in on this.

Additional context
I really appreciate any help or consideration here!

[StefH]

Hello @APIWT,
I see that WhiteSource also describes the same issue:

I'll take a look on how to fix this.

[APIWT]

Thanks @StefH! Please let me know if there is anything I can do to help.

[StefH]

Can you try WireMock.Net.1.3.0-ci-13770 from MyGet ? (https://github.com/WireMock-Net/WireMock.Net/wiki/MyGet-preview-versions)

[APIWT]

I think I may be doing something silly, but I am getting an error in the restore step. Here is my nuget.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <packageSources>
        <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
        <add key="MyGet" value="https://www.myget.org/F/wiremock-net/api/v3/index.json" />
    </packageSources>
</configuration>

Here is the restore error:

error NU1102: Unable to find package WireMock.Net with version (= 1.3.0-ci-13770)

[APIWT]

@StefH So I figured out the restore issue. Here are the two vulnerabilities that appear when I use the preview release:

✗ Medium severity vulnerability found in Microsoft.AspNetCore.Server.IIS
  Description: Open Redirect
  Info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORESERVERIIS-451561
  Introduced through: [email protected]
  From: [email protected] > [email protected] > [email protected]
  Fixed in: 2.2.6

✗ High severity vulnerability found in Microsoft.AspNetCore
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORE-174184
  Introduced through: [email protected]
  From: [email protected] > [email protected]

[StefH]

1] Should be fixed, please install new MyGet version (can take a few minutes to build and to become available...)

2]
https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORE-174184
Remediation
There is no fixed version for Microsoft.AspNetCore.

[APIWT]

Hey again! For number 2, I think it is possible to fix this for applications targetting netcoreapp3.1 which use the Microsoft.NET.Sdk.Web SDK. These do not actually need to use Microsoft.AspNetCore as far as I can tell. Does that make sense? The Microsoft.AspNetCore package is end of life.,

[APIWT]

Here is some supporting documentation if it helps: https://docs.microsoft.com/en-us/aspnet/core/migration/22-to-30?view=aspnetcore-3.1&tabs=visual-studio#remove-obsolete-package-references

[StefH]

Can you test if item 1] is solved?

About item 2:
Maybe adding a new target with .NET Core 3.1 could solve it, however I don't know yet the replacement for Microsoft.AspNetCore. I'll need to take a look....

[StefH]

For now, I think the best I could do, is done now.

In case you want to use WireMock in a NetCoreApp 3.1 hosted application, I think the best way to move forward is to follow this idea : #498

What do you think about that?

[StefH]

@APIWT Is it ok that I close this issue and create a new NuGet?

[APIWT]

Sure! It is funny that you mention that approach, we do something similar for a mobile app.

[StefH]

OK, Please keep a watch on #498 and add a comment if needed.

[APIWT]

@StefH Good news, I think I may have a possible solution that doesn't require removing the wire portion of WireMock.Net :)

I was able to add netcoreapp3.0;netcoreapp3.1 to <TargetFrameworks> inside the csproj.

Next, I changed:
<PropertyGroup Condition="'$(TargetFramework)' == 'netcoreapp2.1' or '$(TargetFramework)' == 'netcoreapp2.2'">

To:
<PropertyGroup Condition="'$(TargetFramework)' == 'netcoreapp2.1' or '$(TargetFramework)' == 'netcoreapp2.2' or '$(TargetFramework)' == 'netcoreapp3.0' or '$(TargetFramework)' == 'netcoreapp3.1'">

Then I added the following ItemGroup:

  <ItemGroup Condition=" '$(TargetFramework)' == 'netcoreapp3.0' or '$(TargetFramework)' == 'netcoreapp3.1'">
    <FrameworkReference Include="Microsoft.AspNetCore.App" />
    <!-- https://github.com/WireMock-Net/WireMock.Net/issues/448 -->
    <PackageReference Include="CS-Script.Core" Version="1.3.1" />
  </ItemGroup>

The magic here is that I use a FrameworkReference instead of the PackageReference stuff for Microsoft.AspNetCore.

Lastly, I needed to make a minor tweak to HttpClientHandler in CreateHttpClient. I changed:
#if NETSTANDARD

To:
#if NETSTANDARD || USE_ASPNETCORE

This seems to allow me to target netcoreapp3.0 and netcoreapp3.1 without an underlying reference to the Microsoft.AspNetCore* packages.

Is this something that we could potentially see in a future release?

[StefH]

You can make PR for this.

[APIWT]

Great news, I just tried out CI build 13791 and Snyk is very happy :)

I really appreciate your help.