Foundatio.AzureServiceBus icon indicating copy to clipboard operation
Foundatio.AzureServiceBus copied to clipboard
verified publisher icon FoundatioFx

Security issue in JWT 5.4.0

Open alensiljak opened this issue 1 year ago • 6 comments

Hi! The Jwt 5.4.0 is flagged as a security risk by SonarQube. It is used by Microsoft.AzureServiceBus.

image

Upgrading JWT to at least 5.7.0 would fix this.

alensiljak avatar Feb 20 '24 10:02 alensiljak

😱

image

Do you have plans on updating the dependencies?

alensiljak avatar Feb 20 '24 12:02 alensiljak

Hello,

We'd be willing to accept any pr's to update this.

niemyjski avatar Feb 20 '24 14:02 niemyjski

Microsoft.Azure.ServiceBus is deprecated so it's a bit of a bigger issue than just a PR.

https://www.nuget.org/packages/Microsoft.Azure.ServiceBus

image

alensiljak avatar Feb 20 '24 14:02 alensiljak

We need to get the azure libs updated and it's on our list (pr would be very grateful if you have some time). Problem is they keep coming out with a completely new package of which seems yearly and the one after this one had crazy management libraries, they've since removed due to pushback.

niemyjski avatar Feb 20 '24 14:02 niemyjski

Thanks for the feedback! I'd like to help but, as usual, it's a matter of availability of time. I'm waiting for some guidelines on how to proceed.

alensiljak avatar Feb 20 '24 14:02 alensiljak

The quickest solution to this particular issue is to force a (currently) safe version of Jwt by adding

<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.7.0" />

to the project file. So, no pressure for now, until some other vulnerability is identified. :)

alensiljak avatar Feb 20 '24 15:02 alensiljak