Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft.ApplicationInsights.AspNetCore used deprecated NuGet packages #2811

Open
MarcoK80 opened this issue Sep 7, 2023 · 8 comments
Open

Microsoft.ApplicationInsights.AspNetCore used deprecated NuGet packages #2811

MarcoK80 opened this issue Sep 7, 2023 · 8 comments
Labels
enhancement

Comments

@MarcoK80
Copy link

MarcoK80 commented Sep 7, 2023
edited
Loading

Dotnet list package --outdated / --deprecated shows for the packages

Microsoft.ApplicationInsights.AspNetCore 2.21.0
Microsoft.ApplicationInsights.Profiler.AspNetCore 2.5.3
Microsoft.ApplicationInsights.Profiler.Core 2.5.3

outdated and if we update them deprecated packages
Microsoft.AspNetCore.Hosting
Microsoft.AspNetCore.Http

Is there any plan to migrate these packages to full .net core 7 or .net core 8 support?
@agehrke
Copy link
Contributor

agehrke commented Jan 3, 2024

Taking a dependency on Microsoft.AspNetCore.Hosting v2.2.0 would resolve this issue, but would also break support for NetCore v2.1.
Instead I'm taking a direct dependency on the fixed version Microsoft.AspNetCore.Http.
We can remove this when NetCore v2.1 reaches EOL on August 21, 2021.

A comment inside Microsoft.ApplicationInsights.AspNetCore.csproj. Seems like the comment was long forgotten.

@Thowk
Copy link

Thowk commented Jan 4, 2024
edited
Loading

It is worth mentioning that there is vulnerability in: Microsoft.AspNetCore.Http.Features 2.1.1 Denial Of Service (DoS)

Workaround is to add explicit dependency on "Microsoft.AspNetCore.Http.Features" Version="5.0.17" which has no vulnerabilities and it fixes SCA scan issues (in my case).

Anyway, I would greatly appreciate an update on this ticket.

@patelriki13
Copy link

Hi @TimothyMothra

Any updates on this? Any ETA?

because Microsoft.AspNetCore.Http package has vulnerability CVE-2020-1045

#2199

We can remove this when NetCore v2.1 reaches EOL on August 21, 2021.

So any ETA?

@MichaCo
Copy link
Contributor

MichaCo commented Mar 12, 2024

Any update / plans on this @TimothyMothra ?
I would expect the library to multi target Net6 and Net8 by now to include the proper AspNetCore framework dependencies instead of totally outdated Nuget refrences.

My team is using App insights in .NET Core for microservices for years now and with the lasted changes how Net6/8 references framework dependencies, it is really painful to include this Nuget package with all the old/outdated dlls which all end up in every service's bin / publish dir...
And this is ignoring the fact that those old packages have security vulnerabilities now..

@MichaCo MichaCo mentioned this issue Mar 12, 2024
Open
@cijothomas cijothomas mentioned this issue Mar 27, 2024
Open
2 tasks
antymon4o added a commit to antymon4o/ApplicationInsights-dotnet that referenced this issue Mar 28, 2024
@antymon4o
Target Microsoft.ApplicationInsights.AspNetCore to netcoreapp3.1
abdf428 
Remove package references to nugets Microsoft.AspNetCore.* because they are deprecated.
For AspNetCore -framework reference to Microsoft.AspNetCore.App is added.

microsoft#2811
@antymon4o antymon4o mentioned this issue Mar 28, 2024
Open
@antymon4o
Copy link

I have proposed changes just for Microsoft.ApplicationInsights.AspNetCore in the linked PR #2860.

I hope that @TimothyMothra will soon have time to review the changes and they will find a way to the main branch.

There is no code change, so no expected behavior change. Just the package references to Microsoft.AspNetCore.* are replaced with framework reference to Microsoft.AspNetCore.App.

ApplicationInsights.AspNetCore is targeted to netcoreapp3.1, although it is not supported anymore, but this way it will still be possible for any legacy applications running on .net 3.1 to use AI.

The test are passing.

@EntityAdam
Copy link

Bump, this package has an active vulnerability, and I can't pass the Veracode scan, so a customers app can't be deployed.

@TimothyMothra
Copy link
Member

Bump, this package has an active vulnerability, and I can't pass the Veracode scan, so a customers app can't be deployed.

@EntityAdam, I just checked and I don't see any vulnerabilities in our reports. Do you have a CVE number that you can share?

@patelriki13
Copy link

Hi @TimothyMothra

Any updates on this? Any ETA?

because Microsoft.AspNetCore.Http package has vulnerability CVE-2020-1045

#2199

We can remove this when NetCore v2.1 reaches EOL on August 21, 2021.

So any ETA?

@TimothyMothra

I already link number

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@agehrke @patelriki13 @MichaCo @antymon4o @Thowk @TimothyMothra @EntityAdam @MarcoK80