conductor-csharp icon indicating copy to clipboard operation
conductor-csharp copied to clipboard
verified publisher icon conductor-sdk

Feature/update vulnerable packages

Open CodeWolf86 opened this issue 1 year ago • 2 comments

Update Vulnerable Packages Update .Net 8 LTS Update Unit Tests for required fields that were causing a failure when connecting to conductor.

Main vulnerability looking to resolve is this one in RestSharp: https://nvd.nist.gov/vuln/detail/CVE-2024-45302 Which is consumed by the Conductor-C# Sdk.

Unit tests have passed. Those that have failed were targeting unknown endpoints on the conductor-oss image, the /Environment or /Integrations don't seem to exist so would appreciate any advice on that one.

image

Vulnerabilities highlighted: https://github.com/advisories/GHSA-qj66-m88j-hmgj https://github.com/advisories/GHSA-4rr6-2v9v-wcpc https://github.com/advisories/GHSA-7jgj-8wvc-jh57 https://github.com/advisories/GHSA-hh2w-p6rv-4g7w https://github.com/advisories/GHSA-cmhx-cq75-c4mj

image

CodeWolf86 avatar Feb 20 '25 17:02 CodeWolf86

Good PR, I would also like to have these changes approved 👍

Since you bumped .NET version to 8.0 you should also probably bump the image version in the Docker file. It is used in GitHub actions during CI/CD.

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS csharp-sdk -> FROM mcr.microsoft.com/dotnet/sdk:8.0 AS csharp-sdk

nprorekhin avatar Mar 28 '25 17:03 nprorekhin

Thanks @nprorekhin Good catch. Have updated 👍

CodeWolf86 avatar Mar 28 '25 18:03 CodeWolf86

Apologies not familiar with your CI but obviously all tests failing isn't going to allow this PR to merge. I notice that when the CI for the test stage kicks off the Docker Build input is the following

DOCKER_BUILDKIT=1 docker build --target=test --build-arg KEY= --build-arg SECRET= --build-arg CONDUCTOR_SERVER_URL=

image

But the last run on main which only passed 63/65 tests has the following setup

image

  DOCKER_BUILDKIT=1 docker build --target=test --build-arg KEY=*** --build-arg SECRET=*** --build-arg CONDUCTOR_SERVER_URL=*** .

So for the run on my PR there is no Server Url or Secret being passed in to assist with the tests / worker setup nor the Orks client so it will fail.

Can anyone assist in how I can re-trigger the CI? or make sure the values are provided in the Docker build for it to succeed? ( or at least get some steps further? )

Can see the Git Hub workflow is here https://github.com/conductor-sdk/conductor-csharp/blob/main/.github/workflows/pull_request.yml

which is attempting to provide the parameters.

Can anyone help? As i'm keen to try to move this along and merge if possible.

CodeWolf86 avatar Apr 30 '25 15:04 CodeWolf86

Ah so because I had to Fork the repo to work on it I'm unable to run the workflow because the forked repo doesn't have access to sensitive data such as secrets -> https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-workflow-runs/approving-workflow-runs-from-public-forks#about-workflow-runs-from-public-forks

If anyone is able to create a feature branch for me on this repo without the restrictions, i'll merge into the feature branch from my fork, then recreate the PR which will allow the workflow to run correctly for the CI regarding the build and test stages. Unless there are any alternatives?

@gardusig @manan164 @Jithesh-poojary @jmigueprieto would any of you be able to assist? Thank you.

CodeWolf86 avatar Apr 30 '25 17:04 CodeWolf86

would love to see this PR merged. will reduce so many warnings

jack4it avatar May 16 '25 21:05 jack4it

thx @manan164 for merging the PR! look forward to a nuget release soon

jack4it avatar May 20 '25 21:05 jack4it