From 92a46afb087d1392990a4ba684745563097316da Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Tue, 20 Aug 2024 00:51:16 +0200 Subject: [PATCH 01/13] Updated SqlClient to fix vulnerabilities Updated Microsoft.Data.SqlClient to fix some of the vulnerabilities referenced in #544. --- Directory.Packages.props | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Directory.Packages.props b/Directory.Packages.props index 96e725cb..d7ed9123 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -11,7 +11,7 @@ - + From 764ca74ffbe0c9eb54cf01475cf5c01c93235e9a Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Tue, 20 Aug 2024 00:54:22 +0200 Subject: [PATCH 02/13] Updated codeql-action to v3 V2 is deprecated soon. --- .github/workflows/pr-analysis-codeql.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr-analysis-codeql.yml b/.github/workflows/pr-analysis-codeql.yml index f4fd9fcb..0c2b81b0 100644 --- a/.github/workflows/pr-analysis-codeql.yml +++ b/.github/workflows/pr-analysis-codeql.yml @@ -22,7 +22,7 @@ jobs: uses: actions/checkout@v3 - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: 'csharp' @@ -30,6 +30,6 @@ jobs: run: ./Build.ps1 -SkipTests - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:csharp" From 36c5b4096f2670fceaa67a2dc59b94daf7b7e830 Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Tue, 20 Aug 2024 00:57:56 +0200 Subject: [PATCH 03/13] Bumped major version --- CHANGES.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index afb0bc9f..67aa9c9c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,7 @@ +# 6.7.0 +* Fixed some of the vulnerabilities referenced in issue #544 by updating SqlClient dependency to 5.2.1 +* Update codeql-action to v3 before deprecation + # 6.6.1 * Fixed issue #515: Cannot use .AuditTo with SpanId or TraceId (thanks to @Kolthor and @vui611) * Fixed issue #530: Document default value of AllowNull From 0b57496d60b04a5f9bbd6606759ea462b1b553b6 Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Tue, 20 Aug 2024 00:58:31 +0200 Subject: [PATCH 04/13] Bumped major version --- src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj b/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj index 7ec2c5be..3e4e446c 100644 --- a/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj +++ b/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj @@ -2,7 +2,7 @@ A Serilog sink that writes events to Microsoft SQL Server and Azure SQL - 6.6.2 + 6.7.0 Michiel van Oudheusden;Christian Kadluba;Serilog Contributors netstandard2.0;net462;net472;net6.0 true From 6febfa2dd7666e482f256baf501550722b45ee37 Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Tue, 20 Aug 2024 01:31:17 +0200 Subject: [PATCH 05/13] Updated patch version Updated patch version after release --- src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj b/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj index 3e4e446c..11ac0f6f 100644 --- a/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj +++ b/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj @@ -2,7 +2,7 @@ A Serilog sink that writes events to Microsoft SQL Server and Azure SQL - 6.7.0 + 6.7.1 Michiel van Oudheusden;Christian Kadluba;Serilog Contributors netstandard2.0;net462;net472;net6.0 true From 759c63a1867da361f904146feccf800197f7ea1e Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Wed, 28 Aug 2024 10:20:31 +0200 Subject: [PATCH 06/13] "Updated" SqlClient to 5.1.6 * Rather have 5.1 than 5.2 because 5.1 is LTS * Fixes issue #544 (partly) and issue #552 --- Directory.Packages.props | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Directory.Packages.props b/Directory.Packages.props index d7ed9123..0dd35b2f 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -11,7 +11,7 @@ - + @@ -28,4 +28,4 @@ - \ No newline at end of file + From 6798ef637c93d090b1410c568c554a9435402a59 Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Wed, 28 Aug 2024 12:05:26 +0200 Subject: [PATCH 07/13] Fixed vulnerabilities by removing all System.* 4 versions as recommended by Microsoft (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/#system-net-http-and-system-text-regularexpressions Related issue: #544 --- Directory.Packages.props | 6 ------ .../Serilog.Sinks.MSSqlServer.Tests.csproj | 8 -------- 2 files changed, 14 deletions(-) diff --git a/Directory.Packages.props b/Directory.Packages.props index 0dd35b2f..8869cf59 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -5,12 +5,6 @@ - - - - - - diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Serilog.Sinks.MSSqlServer.Tests.csproj b/test/Serilog.Sinks.MSSqlServer.Tests/Serilog.Sinks.MSSqlServer.Tests.csproj index 296dcb72..828477ca 100644 --- a/test/Serilog.Sinks.MSSqlServer.Tests/Serilog.Sinks.MSSqlServer.Tests.csproj +++ b/test/Serilog.Sinks.MSSqlServer.Tests/Serilog.Sinks.MSSqlServer.Tests.csproj @@ -38,8 +38,6 @@ - - @@ -47,12 +45,6 @@ - - - - - - runtime; build; native; contentfiles; analyzers; buildtransitive all From 921d1e99882b694d0399894fa3fd7aaca5f93a8f Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Wed, 28 Aug 2024 12:09:09 +0200 Subject: [PATCH 08/13] Fixed vulnerability by updating xunit * Fixed vulnerability by updating xunit to 2.9.0. * Fixed new warnings in test code. Related issue: #544 Related Work Items: #5 --- Directory.Packages.props | 4 +-- .../Sinks/MSSqlServer/MSSqlServerSinkTests.cs | 2 +- .../Platform/SqlBulkBatchWriterTests.cs | 36 +++++++++---------- .../Platform/SqlInsertStatementWriterTests.cs | 2 +- .../Sinks/MSSqlServer/SqlServerColumnTests.cs | 2 +- 5 files changed, 23 insertions(+), 23 deletions(-) diff --git a/Directory.Packages.props b/Directory.Packages.props index 8869cf59..1a21d3fc 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -15,8 +15,8 @@ - - + + diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/MSSqlServerSinkTests.cs b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/MSSqlServerSinkTests.cs index fa91f233..ca886b17 100644 --- a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/MSSqlServerSinkTests.cs +++ b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/MSSqlServerSinkTests.cs @@ -162,7 +162,7 @@ public async Task EmitBatchAsyncCallsSqlLogEventWriter() }); // Act - await _sut.EmitBatchAsync(logEvents).ConfigureAwait(false); + await _sut.EmitBatchAsync(logEvents); // Assert _sqlBulkBatchWriter.Verify(w => w.WriteBatch(It.IsAny>(), _dataTable), Times.Once); diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlBulkBatchWriterTests.cs b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlBulkBatchWriterTests.cs index d7d83a4f..2de6712e 100644 --- a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlBulkBatchWriterTests.cs +++ b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlBulkBatchWriterTests.cs @@ -72,7 +72,7 @@ public async Task WriteBatchCallsLogEventDataGeneratorGetColumnsAndValuesForEach var logEvents = CreateLogEvents(); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert _logEventDataGeneratorMock.Verify(c => c.GetColumnsAndValues(logEvents[0]), Times.Once); @@ -86,7 +86,7 @@ public async Task WriteBatchCallsSqlConnectionFactoryCreate() var logEvents = CreateLogEvents(); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert _sqlConnectionFactoryMock.Verify(f => f.Create(), Times.Once); @@ -99,7 +99,7 @@ public async Task WriteBatchCallsSqlConnectionWrapperOpenAsync() var logEvents = CreateLogEvents(); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert _sqlConnectionWrapperMock.Verify(c => c.OpenAsync(), Times.Once); @@ -113,7 +113,7 @@ public async Task WriteBatchCallsSqlConnectionWrappeCreateSqlBulkCopy() var expectedDestinationTableName = string.Format(CultureInfo.InvariantCulture, "[{0}].[{1}]", _schemaName, _tableName); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert _sqlConnectionWrapperMock.Verify(c => c.CreateSqlBulkCopy(false, expectedDestinationTableName), Times.Once); @@ -128,7 +128,7 @@ public async Task WriteBatchCallsSqlConnectionWrappeCreateSqlBulkCopyWithDisable var sut = new SqlBulkBatchWriter(_tableName, _schemaName, true, _sqlConnectionFactoryMock.Object, _logEventDataGeneratorMock.Object); // Act - await sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await sut.WriteBatch(logEvents, _dataTable); // Assert _sqlConnectionWrapperMock.Verify(c => c.CreateSqlBulkCopy(true, expectedDestinationTableName), Times.Once); @@ -145,7 +145,7 @@ public async Task WriteBatchCallsSqlBulkCopyWrapperAddSqlBulkCopyColumnMappingFo _dataTable.Columns.Add(new DataColumn(column2Name)); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert _sqlBulkCopyWrapper.Verify(c => c.AddSqlBulkCopyColumnMapping(column1Name, column1Name), Times.Once); @@ -159,7 +159,7 @@ public async Task WriteBatchCallsSqlBulkCopyWrapperWriteToServerAsync() var logEvents = CreateLogEvents(); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert _sqlBulkCopyWrapper.Verify(c => c.WriteToServerAsync(_dataTable), Times.Once); @@ -172,14 +172,14 @@ public async Task WriteBatchClearsDataTable() var logEvents = CreateLogEvents(); // Act - await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false); + await _sut.WriteBatch(logEvents, _dataTable); // Assert Assert.Empty(_dataTable.Rows); } [Fact] - public void WriteBatchRethrowsIfLogEventDataGeneratorMockGetColumnsAndValuesThrows() + public async Task WriteBatchRethrowsIfLogEventDataGeneratorMockGetColumnsAndValuesThrows() { // Arrange _logEventDataGeneratorMock.Setup(d => d.GetColumnsAndValues(It.IsAny())) @@ -187,33 +187,33 @@ public void WriteBatchRethrowsIfLogEventDataGeneratorMockGetColumnsAndValuesThro var logEvents = CreateLogEvents(); // Act + assert - Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); + await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); } [Fact] - public void WriteBatchRethrowsIfSqlConnectionFactoryCreateThrows() + public async Task WriteBatchRethrowsIfSqlConnectionFactoryCreateThrows() { // Arrange _sqlConnectionFactoryMock.Setup(f => f.Create()).Callback(() => throw new InvalidOperationException()); var logEvents = CreateLogEvents(); // Act + assert - Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); + await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); } [Fact] - public void WriteBatchRethrowsIfSqlConnectionOpenAsyncThrows() + public async Task WriteBatchRethrowsIfSqlConnectionOpenAsyncThrows() { // Arrange _sqlConnectionWrapperMock.Setup(c => c.OpenAsync()).Callback(() => throw new InvalidOperationException()); var logEvents = CreateLogEvents(); // Act + assert - Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); + await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); } [Fact] - public void WriteBatchRethrowsIfSqlBulkCopyWriterAddSqlBulkCopyColumnMappingThrows() + public async Task WriteBatchRethrowsIfSqlBulkCopyWriterAddSqlBulkCopyColumnMappingThrows() { // Arrange _sqlBulkCopyWrapper.Setup(c => c.AddSqlBulkCopyColumnMapping(It.IsAny(), It.IsAny())) @@ -222,11 +222,11 @@ public void WriteBatchRethrowsIfSqlBulkCopyWriterAddSqlBulkCopyColumnMappingThro _dataTable.Columns.Add(new DataColumn("ColumnName")); // Act + assert - Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); + await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); } [Fact] - public void WriteBatchRethrowsIfSqlBulkCopyWriterWriteToServerAsyncThrows() + public async Task WriteBatchRethrowsIfSqlBulkCopyWriterWriteToServerAsyncThrows() { // Arrange _sqlBulkCopyWrapper.Setup(c => c.WriteToServerAsync(It.IsAny())) @@ -234,7 +234,7 @@ public void WriteBatchRethrowsIfSqlBulkCopyWriterWriteToServerAsyncThrows() var logEvents = CreateLogEvents(); // Act + assert - Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); + await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable)); } private static List CreateLogEvents() diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlInsertStatementWriterTests.cs b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlInsertStatementWriterTests.cs index dac3704b..34e9d9db 100644 --- a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlInsertStatementWriterTests.cs +++ b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlInsertStatementWriterTests.cs @@ -192,7 +192,7 @@ public async Task WriteBatchCallsLogEventDataGeneratorGetColumnsAndValuesForEach var logEvents = CreateLogEvents(); // Act - await _sut.WriteBatch(logEvents).ConfigureAwait(false); + await _sut.WriteBatch(logEvents); // Assert _logEventDataGeneratorMock.Verify(c => c.GetColumnsAndValues(logEvents[0]), Times.Once); diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/SqlServerColumnTests.cs b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/SqlServerColumnTests.cs index c1f5526c..a06eb028 100644 --- a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/SqlServerColumnTests.cs +++ b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/SqlServerColumnTests.cs @@ -33,7 +33,7 @@ public void StoresPropertyName() // Assert Assert.Equal(propertyName, sut.PropertyName); - Assert.Equal(1, sut.PropertyNameHierarchy.Count); + Assert.Single(sut.PropertyNameHierarchy); Assert.Equal(propertyName, sut.PropertyNameHierarchy[0]); Assert.False(sut.HasHierarchicalPropertyName); } From 652ac19938acfdc4b7de3e9b699f4856c58f4a2d Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Wed, 28 Aug 2024 12:11:31 +0200 Subject: [PATCH 09/13] Fixed vulnerability https://github.com/advisories/GHSA-xhfc-gr8f-ffwc Fixed vulnerability by directly referencing transitive dependency System.Private.Uri (https://github.com/advisories/GHSA-xhfc-gr8f-ffwc) Related issue: #544 --- Directory.Packages.props | 1 + 1 file changed, 1 insertion(+) diff --git a/Directory.Packages.props b/Directory.Packages.props index 1a21d3fc..79f80372 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -5,6 +5,7 @@ + From 862bb6ac3c6495866cf9267650bfbab82c9a080d Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Wed, 28 Aug 2024 12:12:38 +0200 Subject: [PATCH 10/13] Fixed vulnerability https://github.com/advisories/GHSA-447r-wph3-92pm Fixed vulnerability by directly referencing transitive dependency System.Formats.Asn1 (https://github.com/advisories/GHSA-447r-wph3-92pm) Related issue: #544 --- Directory.Packages.props | 43 ++++++++++++++++++++-------------------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/Directory.Packages.props b/Directory.Packages.props index 79f80372..1ffb3099 100644 --- a/Directory.Packages.props +++ b/Directory.Packages.props @@ -1,26 +1,27 @@ - - true - - - - + + true + + + + + - - - - - - - - - - + + + + + + + + + + - - - - - + + + + + From 04ad485d28f5367ac4ab5944e045cb97474ce0f2 Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Wed, 28 Aug 2024 12:13:49 +0200 Subject: [PATCH 11/13] * Fixed vulnerability by directly referencing transitive dependency System.Formats.Asn1 (https://github.com/advisories/GHSA-447r-wph3-92pm, issue #544) * Fixed vulnerability by directly referencing transitive dependency System.Private.Uri (https://github.com/advisories/GHSA-xhfc-gr8f-ffwc, issue #544) --- src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj b/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj index 11ac0f6f..74b70748 100644 --- a/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj +++ b/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj @@ -38,6 +38,8 @@ + + From 30254fd7748e8cd10879821e830ff9183302bbd5 Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Wed, 28 Aug 2024 12:14:26 +0200 Subject: [PATCH 12/13] Activated NuGet Audit for high and critical vulnerabilities in direct and transitive dependencies for all projects (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/) Related issue: #544 --- Directory.Build.props | 7 +++++++ serilog-sinks-mssqlserver.sln | 1 + 2 files changed, 8 insertions(+) create mode 100644 Directory.Build.props diff --git a/Directory.Build.props b/Directory.Build.props new file mode 100644 index 00000000..f35cc248 --- /dev/null +++ b/Directory.Build.props @@ -0,0 +1,7 @@ + + + all + high + true + + diff --git a/serilog-sinks-mssqlserver.sln b/serilog-sinks-mssqlserver.sln index 37e4c25b..ef9178ee 100644 --- a/serilog-sinks-mssqlserver.sln +++ b/serilog-sinks-mssqlserver.sln @@ -24,6 +24,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution .editorconfig = .editorconfig Build.ps1 = Build.ps1 CHANGES.md = CHANGES.md + Directory.Build.props = Directory.Build.props Directory.Packages.props = Directory.Packages.props .github\ISSUE_TEMPLATE.md = .github\ISSUE_TEMPLATE.md .github\workflows\pr-analysis-codeql.yml = .github\workflows\pr-analysis-codeql.yml From eda07865a0a1897004b6cb7907b4662435bd0cce Mon Sep 17 00:00:00 2001 From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com> Date: Wed, 28 Aug 2024 12:15:04 +0200 Subject: [PATCH 13/13] Updated CHANGES.md --- CHANGES.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/CHANGES.md b/CHANGES.md index 67aa9c9c..e197a710 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,3 +1,11 @@ +# 6.7.1 +* Fixed issue #552 by downgrading SqlClient dependency to 5.1.6 which is LTS and fixed the vulnerabilities referenced in issue #544 +* Fixed vulnerabilities by removing all System.* 4 versions as recommended by Microsoft (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/#system-net-http-and-system-text-regularexpressions, issue #544) +* Fixed vulnerability by updating xunit to 2.9.0 (issue #544) +* Fixed vulnerability by directly referencing transitive dependency System.Formats.Asn1 (https://github.com/advisories/GHSA-447r-wph3-92pm, issue #544) +* Fixed vulnerability by directly referencing transitive dependency System.Private.Uri (https://github.com/advisories/GHSA-xhfc-gr8f-ffwc, issue #544) +* Activated NuGet Audit for high and critical vulnerabilities in direct and transitive dependencies for all projects (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/) + # 6.7.0 * Fixed some of the vulnerabilities referenced in issue #544 by updating SqlClient dependency to 5.2.1 * Update codeql-action to v3 before deprecation