[BUG] Microsoft.Azure.Data.SchemaRegistry.ApacheAvro installs with 3 High security vulnerabilities

[rido-min]

Library name and version

Microsoft.Azure.Data.SchemaRegistry.ApacheAvro 1.0.0

Describe the bug

When I install Microsoft.Azure.Data.SchemaRegistry.ApacheAvro 1.0.0 in a net8.0 project I got security vulnerabilities:

dotnet new console
dotnet add package Microsoft.Azure.Data.SchemaRegistry.ApacheAvro
dotnet list package --include-transitive --vulnerable

returns

 Transitive Package                    Resolved   Severity   Advisory URL
   > Newtonsoft.Json                     10.0.3     High       https://github.com/advisories/GHSA-5crp-9r3c-p9vr
   > System.Net.Http                     4.3.0      High       https://github.com/advisories/GHSA-7jgj-8wvc-jh57
   > System.Text.RegularExpressions      4.3.0      High       https://github.com/advisories/GHSA-cmhx-cq75-c4mj

Expected behavior

Microsoft packages should not include dependencies with High Severity warnings.

Actual behavior

System.Net.Http, System.Text.RegularExpressions and Newtonsoft.Json are out of date

Reproduction Steps

dotnet new console
dotnet add package Microsoft.Azure.Data.SchemaRegistry.ApacheAvro
dotnet list package --include-transitive --vulnerable

Environment

.NET SDK:
 Version:           8.0.202
 Commit:            25674bb2f4
 Workload version:  8.0.200-manifests.a7f084b6

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.22631
 OS Platform: Windows
 RID:         win-x64
 Base Path:   C:\Program Files\dotnet\sdk\8.0.202\

.NET workloads installed:
 [aspire]
   Installation Source: SDK 8.0.200, VS 17.10.34707.107
   Manifest Version:    8.0.0-preview.4.24156.9/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.aspire\8.0.0-preview.4.24156.9\WorkloadManifest.json
   Install Type:        FileBased

[jsquire]

Hi @rido-min. Thanks for reaching out and we regret that you're experiencing difficulties. It looks like this is correct; the Avro dependency on Newtonsoft.Json traces back to v10.0.3, which is marked as vulnerable. For some reason, NuGet is not marking the Avro package itself as vulnerable, so we were not alerted.

Looks like the latest Apache.Avro package, v11.1.3 still references v10.0.3, so it's not a simple dependency bump. We'll take a look at our options for resolving. In the meantime, your app can attempt to mitigate by taking a direct reference on Newtonsoft.Json v13.0.3, which will hoist the version used. That said, we cannot guarantee that the Avro package will work with the newer Newtonsoft.Json version, so we'd recommend testing thoroughly.

[rido-min]

Thanks !! I'll try with the latest NewtonSoft.

I also reported this issue in https://issues.apache.org/jira/browse/AVRO-3963 and they said it's already fixed with apache/avro#2589.

Once the new Avro package is out, we should release a new version of Microsoft.Azure.Data.SchemaRegistry.ApacheAvro

[jsquire]

As a mitigation for this until a new Apache.Avro package is published, we've released a hot fix (1.0.1) which takes a direct reference on Newtonsoft.Json to hoist the version to 13.0.3.

[github-actions]

Hi @rido-min. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

[rido-min]

Closing as resolved