Update dependencies for security fixes

[victor-priceputu-tb]

Currently the package is dependent on NETStandard.Library@1.6.1 which by it's own dependencies generates security warnings (6 in total). Updating it to the current latest version v2.0.3 solves the security issues. A quick scan with Snyk can show this.

Can we get an update to resolve these issues?

[mchechulnikov]

Hi @victor-priceputu-tb ,
Thank you for bringing this to our attention!
Could you please advise,

• how do you use the TeamCity.VSTest.TestAdapter library?
• what exactly do you scan with Snyk: TeamCity distribution or the library itself?

[victor-priceputu-tb]

Hello, thank you for the quick reply.

We are using the library to output the test results in TeamCity, so we just execute dotnet test in our step.

For the scanning we check our project for packages that have security issues or dependencies that have security issues, nothing fancy. Besides the automates scanning that happens, we just run Snyk via Rider (the IDE) that just does a quick package scanning.

[mchechulnikov]

We are using the library to output the test results in TeamCity, so we just execute dotnet test in our step.

Could you please clarify, are you using command line runner?

If so, please note that you could use the TeamCity .NET runner withtest command instead and you won't need to reference TeamCity.VSTest.TestAdapter to your project directly. It is considered as a main way of usage this package – implicitly via .NET runner. As far as I understand, it could solve the issue with a scanner for now until we update the package.

And if you don't use .NET runner, may I ask you why? That would be very helpful to us.
TeamCity .NET runner it's a part of bundled TeamCity .NET Support plugin and open sourced as well.

For the scanning we check our project for packages that have security issues or dependencies that have security issues

Could you please share the CVEs, links on Snyk or any other details that you found in connection with NETStadard.Library@1.6.1? It would help us a lot to estimate a severity

[victor-priceputu-tb]

Hey, apologies for the late response. We are using the command line runner, yes.

I am not sure why it is set up like this, the infrastructure department sets these up. We have multiple projects in multiple languages so I guess it is to help have multiple agents that can run every project and minimise time where a pipeline is waiting for an agent.
The following vulnerabilities are introduces through the NETStandard.Library dependency:
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60045
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60046
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-72439
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60047
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTREGULAREXPRESSIONS-174708
https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60048

[WGroenestein]

Another idea would be to add an explicit net8.0 TFM, so this NETStandard.Library dependency is not needed when using that TFM

[rjgotten]

And if you don't use .NET runner, may I ask you why? That would be very helpful to us.

FWIW - you can't use the .NET runner when you build docker containers and perform tests as part of the image build. You then have to use the adapter package to output console logs from the container build process in a way TeamCity can pick up to assemble test result logs.

[doxxx]

I've encountered the same issue. We don't use the .NET runner in Teamcity because we use PowerShell scripts with the InvokeBuild module to script our builds so that they can execute exactly the same way on developers laptops and in Teamcity.