update Vulnerable Library libjpeg-turbo 1.5.3 to latest version
we have salesforce web application with salesforce org so found vulnerability issue in black duck scan tool so we need to update this library with updated version.
Related
In Visual Studio 2022, API project created using .NET Core 6.0.6 runtime, we are using Microsoft.EntityFrameworkCore.SqlServer 6.0.3 nuget package. But recently found that there is a security vulnerability in the System.Drawing.Common 4.7.0 package.
We use TFS CI Build Pipeline to build and release our software.
Please let us know how to overcome this security risk (we are using Blackduck compliance scan) and apply the patch/ changes to be made in TFS CI build pipeline script and deploy the software, but still use .NET Core 6.0.6 runtime, as we do not want to upgrade the .NET Core version to 7.0.
P.S: We are aware that the System.Drawing.Common vulnerability is cleared in version 4.7.2, 4.7.3 and also in >= 5.0.3 versions.
But still the security risk is reported by the Blackduck compliance scan.
What we have tried:
We have manually added the System.Drawing.Common package version 4.7.3 to the project and noticed that the package Microsoft.EntityFrameworkCore.SqlServer 6.0.3 is now internally referring to the System.Drawing.Common version 4.7.3.
But still the security risk is reported by the Blackduck compliance scan.
Referred links:
https://www.nuget.org/packages/System.Drawing.Common/4.7.0#versions-body-tab
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24112
All previous versions, of the various Microsoft.ApplicationInsights.* packages on nuget.org have all switched to being deprecated. This feels unusual for a minor release, and it's not acknowledged in the release notes. Is there a reason for this?
e.g. https://www.nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore
To answer my own question for anyone else that might be wondering if they need to upgrade Application Insights packages, the short answer is no. You can keep on using the version you are on with the usual consideration for the patch and minor release notes.
This is a recent move by the Application Insights team to comply with the Azure SDK lifecycle and support policy that states:
or has been superseded by a more recent release. In both cases, the current library is deprecated in favor of a newer library.
The main driver, is that support requests are typically resolved by updating to the latest SDK version, so only 'supporting' the latest version ensures we all try that first before teams commit resources to support.
Source: Application Insights GitHub issue.
I am working on a PCL project that is using Profile44 as TargetFrameworkProfile. When I try to install NodaTime 2.2.4 I get the following error message:
Could not install package 'NodaTime 2.2.4'. You are trying to install this package into a project that targets '.NETPortable,Version=v4.6,Profile=Profile44', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.
Do I have to downgrade to .Net 4.5 or what options do I have?
Noda Time 2.x only supports the Target Framework Monikers netstandard1.3 and net45. There's no direct PCL support, although some environments that traditionally used PCLs now support .NET Standard.
The 1.x series supports PCLs via Profile328, which has a NuGet target of "portable-net4+sl50+win8+wpa81+wp8". For environments that don't yet support .NET Standard, trying the 1.x series is the best option.
Note that I'm expecting Noda Time 3.0 to probably target netstandard2.0, although I'll still keep the older versions up to date with respect to time zone data.
Where can I find a specific version of Service FabriŃ, I need 5.6 runtime and 2.6 sdk version. Is there any download list for Service Fabric versions?
I found the link https://blogs.msdn.microsoft.com/azureservicefabric/2017/06/20/release-of-sdk-2-6-220-and-runtime-5-6-220-refresh-for-windows , but there no link for downloading this version. Every link leads to the latest version.
I found it!
https://servicefabricsdkstorage.blob.core.windows.net/public-release-notes/Microsoft%20Azure%20Service%20Fabric%20Release%20Notes%20-%20SDK%202.6.220%20-%20Runtime%205.6.220.docx
Here is a link where the downloading links of service fabric Runtime, SDK and VS Tools can be found.
So the algorithm for seeking download links:
Find the release update on Azure
site.(https://blogs.msdn.microsoft.com/azureservicefabric/2017/06/20/release-of-sdk-2-6-220-and-runtime-5-6-220-refresh-for-windows/
in my case)
Find release notes of a specific release.
Download Release Notes
Find Download links at the end of a document.
Can use Web Platform Installer to install different versions of Service Fabric SDK together with runtime. If you don't want to install the corresponding SDK, only runtime, actually you can go to Web Platform Installer's folder to find the package, such as "%LOCALAPPDATA%\Microsoft\Web Platform Installer\installers\ServiceFabricRuntime_6_5_CU5".
When I try to update or to install dialog support package I get the error:
Could not install package 'MvvmCross.HotTuna.Touch.Dialog 3.5.0'. You are trying to install this package into a project that targets 'MonoTouch,Version=v1.0', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.
The issue is you are still targeting the old 32 bit only iOS api (the MonoTouch.dll). All apps being written for the store must support 64 bit and 32 bit (Xamarin.ios.dll).
You can I believe get a build of mvvmcross 3.5 that will support the old apis, but I'd look at upgrading your project to support the new iOS apis. Xamarin produce some good docs here: http://developer.xamarin.com/guides/cross-platform/macios/32-and-64/.
This goes without saying but make sure you have everything in source control first before upgrading just in case. Once you have upgraded you should upgrade all mvvmcross components to 3.5