[Feature Request] Remove the indirectly dependency on system.drawing.common #2577
Labels
Comments
|
This was introduced to fix a CVE: #2011 Here are the direct dependencies of System.Drawing.Common dotnet list .\Microsoft.Identity.Web.TokenCache.csproj package
Project 'Microsoft.Identity.Web.TokenCache' has the following package references
[netcoreapp3.1]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.DataProtection 3.1.30 3.1.30
> Microsoft.Extensions.Caching.Memory 3.1.30 3.1.30
> Microsoft.Extensions.Logging 3.1.30 3.1.30
> Microsoft.Identity.Client 4.57.0 4.57.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0
> System.Drawing.Common 4.7.2 4.7.2
> System.Security.Cryptography.Pkcs 6.0.3 6.0.3
[net462]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.DataProtection 5.0.8 5.0.8
> Microsoft.Extensions.Caching.Memory 5.0.0 5.0.0
> Microsoft.Extensions.Logging 5.0.0 5.0.0
> Microsoft.Identity.Client 4.57.0 4.57.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0
> System.Drawing.Common 4.7.2 4.7.2
> System.Security.Cryptography.Pkcs 7.0.2 7.0.2
> System.Security.Cryptography.Xml 6.0.1 6.0.1
> System.Text.Encodings.Web 6.0.0 6.0.0
[net472]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.DataProtection 2.1.0 2.1.0
> Microsoft.Extensions.Caching.Memory 2.1.0 2.1.0
> Microsoft.Extensions.DependencyInjection 2.1.0 2.1.0
> Microsoft.Extensions.Logging 2.1.0 2.1.0
> Microsoft.Identity.Client 4.57.0 4.57.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0
> System.Drawing.Common 4.7.2 4.7.2
> System.Security.Cryptography.Pkcs 7.0.2 7.0.2
> System.Security.Cryptography.Xml 4.7.1 4.7.1
> System.Text.Encodings.Web 4.7.2 4.7.2
[netstandard2.0]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.DataProtection 2.1.0 2.1.0
> Microsoft.Extensions.Caching.Memory 2.1.0 2.1.0
> Microsoft.Extensions.DependencyInjection 2.1.0 2.1.0
> Microsoft.Extensions.Logging 2.1.0 2.1.0
> Microsoft.Identity.Client 4.57.0 4.57.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0
> NETStandard.Library (A) [2.0.3, ) 2.0.3
> System.Drawing.Common 4.7.2 4.7.2
> System.Security.Cryptography.Pkcs 7.0.2 7.0.2
> System.Security.Cryptography.Xml 4.7.1 4.7.1
> System.Text.Encodings.Web 4.7.2 4.7.2
[net6.0]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.DataProtection 6.0.0 6.0.0
> Microsoft.Extensions.Caching.Memory 6.0.0 6.0.0
> Microsoft.Extensions.Logging 6.0.0 6.0.0
> Microsoft.Identity.Client 4.57.0 4.57.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0
> System.Drawing.Common 4.7.2 4.7.2
> System.Security.Cryptography.Pkcs 6.0.4 6.0.4
> System.Security.Cryptography.Xml 6.0.1 6.0.1
[net7.0]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.DataProtection 7.0.0 7.0.0
> Microsoft.Extensions.Caching.Memory 7.0.0 7.0.0
> Microsoft.Extensions.Logging 7.0.0 7.0.0
> Microsoft.Identity.Client 4.57.0 4.57.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0
> System.Drawing.Common 4.7.2 4.7.2
> System.Security.Cryptography.Pkcs 7.0.3 7.0.3
> System.Security.Cryptography.Xml 7.0.1 7.0.1 |
|
@waterstonemf which target framework do you build for? |
|
System.Drawing.Common is only an indirect depenendcy in .NET Core 3.1 (which is out of support) Project 'Microsoft.Identity.Web.TokenCache' has the following package references
[netcoreapp3.1]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.DataProtection 3.1.30 3.1.30
> Microsoft.Extensions.Caching.Memory 3.1.30 3.1.30
> Microsoft.Extensions.Logging 3.1.30 3.1.30
> Microsoft.Identity.Client 4.57.0 4.57.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0
> System.Security.Cryptography.Pkcs 6.0.3 6.0.3
Transitive Package Resolved
> Microsoft.AspNetCore.Cryptography.Internal 3.1.30
> Microsoft.AspNetCore.DataProtection.Abstractions 3.1.30
> Microsoft.Build.Tasks.Git 1.0.0
> Microsoft.Extensions.Caching.Abstractions 3.1.30
> Microsoft.Extensions.Configuration 3.1.30
> Microsoft.Extensions.Configuration.Abstractions 3.1.30
> Microsoft.Extensions.Configuration.Binder 3.1.30
> Microsoft.Extensions.DependencyInjection 3.1.30
> Microsoft.Extensions.DependencyInjection.Abstractions 3.1.30
> Microsoft.Extensions.FileProviders.Abstractions 3.1.30
> Microsoft.Extensions.Hosting.Abstractions 3.1.30
> Microsoft.Extensions.Logging.Abstractions 3.1.30
> Microsoft.Extensions.Options 3.1.30
> Microsoft.Extensions.Primitives 3.1.30
> Microsoft.Identity.Web.Diagnostics 2.7.0-localbuild
> Microsoft.IdentityModel.Abstractions 6.22.0
> Microsoft.NETCore.Platforms 3.1.0
> Microsoft.SourceLink.Common 1.0.0
> Microsoft.Win32.Registry 4.7.0
> Microsoft.Win32.SystemEvents 4.7.0
> System.Buffers 4.5.1
> System.Drawing.Common 4.7.0
> System.Formats.Asn1 6.0.0
> System.Memory 4.5.4
> System.Security.AccessControl 4.7.0
> System.Security.Cryptography.Cng 5.0.0
> System.Security.Cryptography.Xml 4.7.1
> System.Security.Permissions 4.7.0
> System.Security.Principal.Windows 4.7.0
> System.Windows.Extensions 4.7.0
[net462]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.DataProtection 5.0.8 5.0.8
> Microsoft.Extensions.Caching.Memory 5.0.0 5.0.0
> Microsoft.Extensions.Logging 5.0.0 5.0.0
> Microsoft.Identity.Client 4.57.0 4.57.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0
> System.Security.Cryptography.Pkcs 7.0.2 7.0.2
> System.Security.Cryptography.Xml 6.0.1 6.0.1
> System.Text.Encodings.Web 6.0.0 6.0.0
Transitive Package Resolved
> Microsoft.AspNetCore.Cryptography.Internal 5.0.8
> Microsoft.AspNetCore.DataProtection.Abstractions 5.0.8
> Microsoft.Bcl.AsyncInterfaces 5.0.0
> Microsoft.Build.Tasks.Git 1.0.0
> Microsoft.Extensions.Caching.Abstractions 5.0.0
> Microsoft.Extensions.Configuration.Abstractions 5.0.0
> Microsoft.Extensions.DependencyInjection 5.0.0
> Microsoft.Extensions.DependencyInjection.Abstractions 5.0.0
> Microsoft.Extensions.FileProviders.Abstractions 5.0.0
> Microsoft.Extensions.Hosting.Abstractions 5.0.0
> Microsoft.Extensions.Logging.Abstractions 5.0.0
> Microsoft.Extensions.Options 5.0.0
> Microsoft.Extensions.Primitives 5.0.0
> Microsoft.Identity.Web.Diagnostics 2.7.0-localbuild
> Microsoft.IdentityModel.Abstractions 6.22.0
> Microsoft.SourceLink.Common 1.0.0
> Microsoft.Win32.Registry 5.0.0
> System.Buffers 4.5.1
> System.Diagnostics.DiagnosticSource 5.0.0
> System.Memory 4.5.4
> System.Numerics.Vectors 4.5.0
> System.Runtime.CompilerServices.Unsafe 6.0.0
> System.Runtime.InteropServices.RuntimeInformation 4.3.0
> System.Security.AccessControl 6.0.0
> System.Security.Principal.Windows 5.0.0
> System.Threading.Tasks.Extensions 4.5.4
> System.ValueTuple 4.5.0
[net472]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.DataProtection 2.1.0 2.1.0
> Microsoft.Extensions.Caching.Memory 2.1.0 2.1.0
> Microsoft.Extensions.DependencyInjection 2.1.0 2.1.0
> Microsoft.Extensions.Logging 2.1.0 2.1.0
> Microsoft.Identity.Client 4.57.0 4.57.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0
> System.Security.Cryptography.Pkcs 7.0.2 7.0.2
> System.Security.Cryptography.Xml 4.7.1 4.7.1
> System.Text.Encodings.Web 4.7.2 4.7.2
Transitive Package Resolved
> Microsoft.AspNetCore.Cryptography.Internal 2.1.0
> Microsoft.AspNetCore.DataProtection.Abstractions 2.1.0
> Microsoft.AspNetCore.Hosting.Abstractions 2.1.0
> Microsoft.AspNetCore.Hosting.Server.Abstractions 2.1.0
> Microsoft.AspNetCore.Http.Abstractions 2.1.0
> Microsoft.AspNetCore.Http.Features 2.1.0
> Microsoft.Build.Tasks.Git 1.0.0
> Microsoft.Extensions.Caching.Abstractions 2.1.0
> Microsoft.Extensions.Configuration 2.1.0
> Microsoft.Extensions.Configuration.Abstractions 2.1.0
> Microsoft.Extensions.Configuration.Binder 2.1.0
> Microsoft.Extensions.DependencyInjection.Abstractions 2.1.0
> Microsoft.Extensions.FileProviders.Abstractions 2.1.0
> Microsoft.Extensions.Hosting.Abstractions 2.1.0
> Microsoft.Extensions.Logging.Abstractions 2.1.0
> Microsoft.Extensions.Options 2.1.0
> Microsoft.Extensions.Primitives 2.1.0
> Microsoft.Identity.Web.Diagnostics 2.7.0-localbuild
> Microsoft.IdentityModel.Abstractions 6.22.0
> Microsoft.SourceLink.Common 1.0.0
> Microsoft.Win32.Registry 4.5.0
> System.Buffers 4.5.1
> System.Memory 4.5.4
> System.Numerics.Vectors 4.5.0
> System.Runtime.CompilerServices.Unsafe 4.5.3
> System.Security.AccessControl 4.7.0
> System.Security.Permissions 4.7.0
> System.Security.Principal.Windows 4.7.0
[netstandard2.0]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.DataProtection 2.1.0 2.1.0
> Microsoft.Extensions.Caching.Memory 2.1.0 2.1.0
> Microsoft.Extensions.DependencyInjection 2.1.0 2.1.0
> Microsoft.Extensions.Logging 2.1.0 2.1.0
> Microsoft.Identity.Client 4.57.0 4.57.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0
> NETStandard.Library (A) [2.0.3, ) 2.0.3
> System.Security.Cryptography.Pkcs 7.0.2 7.0.2
> System.Security.Cryptography.Xml 4.7.1 4.7.1
> System.Text.Encodings.Web 4.7.2 4.7.2
Transitive Package Resolved
> Microsoft.AspNetCore.Cryptography.Internal 2.1.0
> Microsoft.AspNetCore.DataProtection.Abstractions 2.1.0
> Microsoft.AspNetCore.Hosting.Abstractions 2.1.0
> Microsoft.AspNetCore.Hosting.Server.Abstractions 2.1.0
> Microsoft.AspNetCore.Http.Abstractions 2.1.0
> Microsoft.AspNetCore.Http.Features 2.1.0
> Microsoft.Build.Tasks.Git 1.0.0
> Microsoft.Extensions.Caching.Abstractions 2.1.0
> Microsoft.Extensions.Configuration 2.1.0
> Microsoft.Extensions.Configuration.Abstractions 2.1.0
> Microsoft.Extensions.Configuration.Binder 2.1.0
> Microsoft.Extensions.DependencyInjection.Abstractions 2.1.0
> Microsoft.Extensions.FileProviders.Abstractions 2.1.0
> Microsoft.Extensions.Hosting.Abstractions 2.1.0
> Microsoft.Extensions.Logging.Abstractions 2.1.0
> Microsoft.Extensions.Options 2.1.0
> Microsoft.Extensions.Primitives 2.1.0
> Microsoft.Identity.Web.Diagnostics 2.7.0-localbuild
> Microsoft.IdentityModel.Abstractions 6.22.0
> Microsoft.NETCore.Platforms 1.1.0
> Microsoft.SourceLink.Common 1.0.0
> Microsoft.Win32.Registry 4.5.0
> System.Buffers 4.5.1
> System.Formats.Asn1 7.0.0
> System.Memory 4.5.5
> System.Numerics.Vectors 4.4.0
> System.Runtime.CompilerServices.Unsafe 4.5.3
> System.Security.AccessControl 4.7.0
> System.Security.Cryptography.Cng 5.0.0
> System.Security.Permissions 4.7.0
> System.Security.Principal.Windows 4.7.0
[net6.0]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.DataProtection 6.0.0 6.0.0
> Microsoft.Extensions.Caching.Memory 6.0.0 6.0.0
> Microsoft.Extensions.Logging 6.0.0 6.0.0
> Microsoft.Identity.Client 4.57.0 4.57.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0
> System.Security.Cryptography.Pkcs 6.0.4 6.0.4
> System.Security.Cryptography.Xml 6.0.1 6.0.1
Transitive Package Resolved
> Microsoft.AspNetCore.Cryptography.Internal 6.0.0
> Microsoft.AspNetCore.DataProtection.Abstractions 6.0.0
> Microsoft.Build.Tasks.Git 1.0.0
> Microsoft.Extensions.Caching.Abstractions 6.0.0
> Microsoft.Extensions.Configuration.Abstractions 6.0.0
> Microsoft.Extensions.DependencyInjection 6.0.0
> Microsoft.Extensions.DependencyInjection.Abstractions 6.0.0
> Microsoft.Extensions.FileProviders.Abstractions 6.0.0
> Microsoft.Extensions.Hosting.Abstractions 6.0.0
> Microsoft.Extensions.Logging.Abstractions 6.0.0
> Microsoft.Extensions.Options 6.0.0
> Microsoft.Extensions.Primitives 6.0.0
> Microsoft.Identity.Web.Diagnostics 2.7.0-localbuild
> Microsoft.IdentityModel.Abstractions 6.22.0
> Microsoft.SourceLink.Common 1.0.0
> System.Diagnostics.DiagnosticSource 6.0.0
> System.Formats.Asn1 6.0.0
> System.Runtime.CompilerServices.Unsafe 6.0.0
> System.Security.AccessControl 6.0.0
[net7.0]:
Top-level Package Requested Resolved
> Microsoft.AspNetCore.DataProtection 7.0.0 7.0.0
> Microsoft.Extensions.Caching.Memory 7.0.0 7.0.0
> Microsoft.Extensions.Logging 7.0.0 7.0.0
> Microsoft.Identity.Client 4.57.0 4.57.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0
> System.Security.Cryptography.Pkcs 7.0.3 7.0.3
> System.Security.Cryptography.Xml 7.0.1 7.0.1
Transitive Package Resolved
> Microsoft.AspNetCore.Cryptography.Internal 7.0.0
> Microsoft.AspNetCore.DataProtection.Abstractions 7.0.0
> Microsoft.Build.Tasks.Git 1.0.0
> Microsoft.Extensions.Caching.Abstractions 7.0.0
> Microsoft.Extensions.Configuration.Abstractions 7.0.0
> Microsoft.Extensions.DependencyInjection 7.0.0
> Microsoft.Extensions.DependencyInjection.Abstractions 7.0.0
> Microsoft.Extensions.FileProviders.Abstractions 7.0.0
> Microsoft.Extensions.Hosting.Abstractions 7.0.0
> Microsoft.Extensions.Logging.Abstractions 7.0.0
> Microsoft.Extensions.Options 7.0.0
> Microsoft.Extensions.Primitives 7.0.0
> Microsoft.Identity.Web.Diagnostics 2.7.0-localbuild
> Microsoft.IdentityModel.Abstractions 6.22.0
> Microsoft.SourceLink.Common 1.0.0
> System.Formats.Asn1 7.0.0 |
jmprieur
added
ADAL-to-MSAL-migration-blocker
bug
currently we are building on .NET 6, may upgrade to .NET 8 in the future |
jmprieur
added a commit
that referenced
this issue
Nov 10, 2023
…ting #2577 (#2578) * Remove no longer necessary dependencies while investigating #2577 * Surgically re-injecting the dependency * Fixing the CVE-2021-24112 in the sample apps by updating Redis * Adding .NET 8 targets * Suppressions for .NET 8
|
@waterstonemf. This is fixed in master. This will be in IdWeb 2.15.4 |
|
Thank you @jmprieur for the so quick fixing! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
We're using microsoft.identity.web.2.12.4 in one asp.net core web api project and the web api will be deployed in Kubernetes cluster environment.
microsoft.identity.web.2.12.4 has an indirect dependency on system.drawing.common.4.7.2. The dependency path is as below:
microsoft.identity.web.2.12.4.nupkg
↓
microsoft.identity.web.tokenacquisition.2.12.4.nupkg
↓
microsoft.identity.web.tokencache.2.12.4.nupkg
↓
system.drawing.common.4.7.2.nupkg
while per the description in "System.Drawing.Common only supported on Windows" (https://learn.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/6.0/system-drawing-common-windows-only), our team is required to remove any direct/indirect dependency on System.Drawing.Common library from our api project.
so we're investigating how to fix this issue.
Describe the solution you'd like
Provide a microsoft.identity.web version without any dependency on system.drawing.common
Describe alternatives you've considered
none
Additional context
none
The text was updated successfully, but these errors were encountered: