diff --git a/.github/workflows/pr-analysis-codeql.yml b/.github/workflows/pr-analysis-codeql.yml index f4fd9fcb..0c2b81b0 100644 --- a/.github/workflows/pr-analysis-codeql.yml +++ b/.github/workflows/pr-analysis-codeql.yml @@ -22,7 +22,7 @@ jobs: uses: actions/checkout@v3 - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: 'csharp' @@ -30,6 +30,6 @@ jobs: run: ./Build.ps1 -SkipTests - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:csharp" diff --git a/CHANGES.md b/CHANGES.md index afb0bc9f..e197a710 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,15 @@ +# 6.7.1 +* Fixed issue #552 by downgrading SqlClient dependency to 5.1.6 which is LTS and fixed the vulnerabilities referenced in issue #544 +* Fixed vulnerabilities by removing all System.* 4 versions as recommended by Microsoft (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/#system-net-http-and-system-text-regularexpressions, issue #544) +* Fixed vulnerability by updating xunit to 2.9.0 (issue #544) +* Fixed vulnerability by directly referencing transitive dependency System.Formats.Asn1 (https://github.com/advisories/GHSA-447r-wph3-92pm, issue #544) +* Fixed vulnerability by directly referencing transitive dependency System.Private.Uri (https://github.com/advisories/GHSA-xhfc-gr8f-ffwc, issue #544) +* Activated NuGet Audit for high and critical vulnerabilities in direct and transitive dependencies for all projects (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/) + +# 6.7.0 +* Fixed some of the vulnerabilities referenced in issue #544 by updating SqlClient dependency to 5.2.1 +* Update codeql-action to v3 before deprecation + # 6.6.1 * Fixed issue #515: Cannot use .AuditTo with SpanId or TraceId (thanks to @Kolthor and @vui611) * Fixed issue #530: Document default value of AllowNull diff --git a/Directory.Build.props b/Directory.Build.props new file mode 100644 index 00000000..f35cc248 --- /dev/null +++ b/Directory.Build.props @@ -0,0 +1,7 @@ + + + all + high + true + + diff --git a/Directory.Packages.props b/Directory.Packages.props index 36191555..be2b31db 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -1,30 +1,26 @@ - - true - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file + + true + + + + + + + + + + + + + + + + + + + + + + + diff --git a/serilog-sinks-mssqlserver.sln b/serilog-sinks-mssqlserver.sln index 37e4c25b..ef9178ee 100644 --- a/serilog-sinks-mssqlserver.sln +++ b/serilog-sinks-mssqlserver.sln @@ -24,6 +24,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution .editorconfig = .editorconfig Build.ps1 = Build.ps1 CHANGES.md = CHANGES.md + Directory.Build.props = Directory.Build.props Directory.Packages.props = Directory.Packages.props .github\ISSUE_TEMPLATE.md = .github\ISSUE_TEMPLATE.md .github\workflows\pr-analysis-codeql.yml = .github\workflows\pr-analysis-codeql.yml diff --git a/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj b/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj index 6cfae30f..4b471904 100644 --- a/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj +++ b/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj @@ -2,7 +2,7 @@ A Serilog sink that writes events to Microsoft SQL Server and Azure SQL - 6.6.2 + 6.7.1 Michiel van Oudheusden;Christian Kadluba;Serilog Contributors netstandard2.0;net462;net472;net6.0 true @@ -37,6 +37,8 @@ + + diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Serilog.Sinks.MSSqlServer.Tests.csproj b/test/Serilog.Sinks.MSSqlServer.Tests/Serilog.Sinks.MSSqlServer.Tests.csproj index 296dcb72..828477ca 100644 --- a/test/Serilog.Sinks.MSSqlServer.Tests/Serilog.Sinks.MSSqlServer.Tests.csproj +++ b/test/Serilog.Sinks.MSSqlServer.Tests/Serilog.Sinks.MSSqlServer.Tests.csproj @@ -38,8 +38,6 @@ - - @@ -47,12 +45,6 @@ - - - - - - runtime; build; native; contentfiles; analyzers; buildtransitive all diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/MSSqlServerSinkTests.cs b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/MSSqlServerSinkTests.cs index fa91f233..ca886b17 100644 --- a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/MSSqlServerSinkTests.cs +++ b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/MSSqlServerSinkTests.cs @@ -162,7 +162,7 @@ public async Task EmitBatchAsyncCallsSqlLogEventWriter() }); // Act - await _sut.EmitBatchAsync(logEvents).ConfigureAwait(false); + await _sut.EmitBatchAsync(logEvents); // Assert _sqlBulkBatchWriter.Verify(w => w.WriteBatch(It.IsAny>(), _dataTable), Times.Once); diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlBulkBatchWriterTests.cs b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlBulkBatchWriterTests.cs index d7d83a4f..2de6712e 100644 --- a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlBulkBatchWriterTests.cs +++ b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlBulkBatchWriterTests.cs @@ -72,7 +72,7 @@ public async Task WriteBatchCallsLogEventDataGeneratorGetColumnsAndValuesForEach var logEvents = CreateLogEvents(); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert _logEventDataGeneratorMock.Verify(c => c.GetColumnsAndValues(logEvents[0]), Times.Once); @@ -86,7 +86,7 @@ public async Task WriteBatchCallsSqlConnectionFactoryCreate() var logEvents = CreateLogEvents(); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert _sqlConnectionFactoryMock.Verify(f => f.Create(), Times.Once); @@ -99,7 +99,7 @@ public async Task WriteBatchCallsSqlConnectionWrapperOpenAsync() var logEvents = CreateLogEvents(); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert _sqlConnectionWrapperMock.Verify(c => c.OpenAsync(), Times.Once); @@ -113,7 +113,7 @@ public async Task WriteBatchCallsSqlConnectionWrappeCreateSqlBulkCopy() var expectedDestinationTableName = string.Format(CultureInfo.InvariantCulture, "[{0}].[{1}]", _schemaName, _tableName); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert _sqlConnectionWrapperMock.Verify(c => c.CreateSqlBulkCopy(false, expectedDestinationTableName), Times.Once); @@ -128,7 +128,7 @@ public async Task WriteBatchCallsSqlConnectionWrappeCreateSqlBulkCopyWithDisable var sut = new SqlBulkBatchWriter(_tableName, _schemaName, true, _sqlConnectionFactoryMock.Object, _logEventDataGeneratorMock.Object); // Act - await sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await sut.WriteBatch(logEvents, _dataTable); // Assert _sqlConnectionWrapperMock.Verify(c => c.CreateSqlBulkCopy(true, expectedDestinationTableName), Times.Once); @@ -145,7 +145,7 @@ public async Task WriteBatchCallsSqlBulkCopyWrapperAddSqlBulkCopyColumnMappingFo _dataTable.Columns.Add(new DataColumn(column2Name)); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert _sqlBulkCopyWrapper.Verify(c => c.AddSqlBulkCopyColumnMapping(column1Name, column1Name), Times.Once); @@ -159,7 +159,7 @@ public async Task WriteBatchCallsSqlBulkCopyWrapperWriteToServerAsync() var logEvents = CreateLogEvents(); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert _sqlBulkCopyWrapper.Verify(c => c.WriteToServerAsync(_dataTable), Times.Once); @@ -172,14 +172,14 @@ public async Task WriteBatchClearsDataTable() var logEvents = CreateLogEvents(); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert Assert.Empty(_dataTable.Rows); } [Fact] - public void WriteBatchRethrowsIfLogEventDataGeneratorMockGetColumnsAndValuesThrows() + public async Task WriteBatchRethrowsIfLogEventDataGeneratorMockGetColumnsAndValuesThrows() { // Arrange _logEventDataGeneratorMock.Setup(d => d.GetColumnsAndValues(It.IsAny())) @@ -187,33 +187,33 @@ public void WriteBatchRethrowsIfLogEventDataGeneratorMockGetColumnsAndValuesThro var logEvents = CreateLogEvents(); // Act + assert - Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); + await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); } [Fact] - public void WriteBatchRethrowsIfSqlConnectionFactoryCreateThrows() + public async Task WriteBatchRethrowsIfSqlConnectionFactoryCreateThrows() { // Arrange _sqlConnectionFactoryMock.Setup(f => f.Create()).Callback(() => throw new InvalidOperationException()); var logEvents = CreateLogEvents(); // Act + assert - Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); + await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); } [Fact] - public void WriteBatchRethrowsIfSqlConnectionOpenAsyncThrows() + public async Task WriteBatchRethrowsIfSqlConnectionOpenAsyncThrows() { // Arrange _sqlConnectionWrapperMock.Setup(c => c.OpenAsync()).Callback(() => throw new InvalidOperationException()); var logEvents = CreateLogEvents(); // Act + assert - Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); + await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); } [Fact] - public void WriteBatchRethrowsIfSqlBulkCopyWriterAddSqlBulkCopyColumnMappingThrows() + public async Task WriteBatchRethrowsIfSqlBulkCopyWriterAddSqlBulkCopyColumnMappingThrows() { // Arrange _sqlBulkCopyWrapper.Setup(c => c.AddSqlBulkCopyColumnMapping(It.IsAny(), It.IsAny())) @@ -222,11 +222,11 @@ public void WriteBatchRethrowsIfSqlBulkCopyWriterAddSqlBulkCopyColumnMappingThro _dataTable.Columns.Add(new DataColumn("ColumnName")); // Act + assert - Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); + await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); } [Fact] - public void WriteBatchRethrowsIfSqlBulkCopyWriterWriteToServerAsyncThrows() + public async Task WriteBatchRethrowsIfSqlBulkCopyWriterWriteToServerAsyncThrows() { // Arrange _sqlBulkCopyWrapper.Setup(c => c.WriteToServerAsync(It.IsAny())) @@ -234,7 +234,7 @@ public void WriteBatchRethrowsIfSqlBulkCopyWriterWriteToServerAsyncThrows() var logEvents = CreateLogEvents(); // Act + assert - Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); + await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); } private static List CreateLogEvents() diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlInsertStatementWriterTests.cs b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlInsertStatementWriterTests.cs index dac3704b..34e9d9db 100644 --- a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlInsertStatementWriterTests.cs +++ b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlInsertStatementWriterTests.cs @@ -192,7 +192,7 @@ public async Task WriteBatchCallsLogEventDataGeneratorGetColumnsAndValuesForEach var logEvents = CreateLogEvents(); // Act - await _sut.WriteBatch(logEvents).ConfigureAwait(false); + await _sut.WriteBatch(logEvents); // Assert _logEventDataGeneratorMock.Verify(c => c.GetColumnsAndValues(logEvents[0]), Times.Once); diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/SqlServerColumnTests.cs b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/SqlServerColumnTests.cs index c1f5526c..a06eb028 100644 --- a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/SqlServerColumnTests.cs +++ b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/SqlServerColumnTests.cs @@ -33,7 +33,7 @@ public void StoresPropertyName() // Assert Assert.Equal(propertyName, sut.PropertyName); - Assert.Equal(1, sut.PropertyNameHierarchy.Count); + Assert.Single(sut.PropertyNameHierarchy); Assert.Equal(propertyName, sut.PropertyNameHierarchy[0]); Assert.False(sut.HasHierarchicalPropertyName); }