[security] Insecure transitive dependency to Microsoft.AspNetCore.Server.Kestrel.Core

[Kielek]

Describe the bug

Related to version 1.14.0 and probably other to.

WireMock.Net --> WireMock.Net.Minimal ----.NET Framework/.NET Standard-----> Microsoft.AspNetCore v2.2.0 ----> Microsoft.AspNetCore.Server.Kestrel.Core v2.2.0

This package contains critical security issue (9.9/10) GHSA-5rrx-jjjq-q2r5.

Expected behavior:

The easiest way is to bump Microsoft.AspNetCore to 2.3.0.

Test to reproduce

Just compile your code with following switches

  <PropertyGroup>
    <NuGetAudit>true</NuGetAudit>
    <NuGetAuditMode>all</NuGetAuditMode>
    <NuGetAuditLevel>low</NuGetAuditLevel>
  </PropertyGroup>

Other related info

It will be great to make the release shortly after the changes.

[Kielek]

@StefH, I have check it more deeply.
It might be not so trivial to update. To fully resolve this particular issue Microsoft.AspNetCore should be to 2.3.0 (2.2.0 is out of support) together with Microsoft.AspNetCore.Server.Kestrel.Core to 2.3.6. All this in WireMock.Net.Minimal for .NET Framework 4.6.1 , .NET Standard 2.0 and 2.1.

But it is not so simple. Microsoft.AspNetCore.Server.Kestrel.Core.ListenOptions.Protocols property is marked as internal in this package version and it is conditionally set AspNetCoreSelfHost class.
What is more Microsoft.AspNetCore.Http.HttpResponse does not implement SupportsTrailers() and AppendTrailer(). Both needed by OwinResponseMapper.

There is more vulnerable dependencies in .NET Framework 4.5.1 and 4.5.2 and .NET Standard 1.3 - but all of them are our of support by the Microsoft.

Internally, I have tried to bump Microsoft.AspNetCore.Server.Kestrel.Core to 2.3.6 in OpenTelemetry test suite. As there are binary breaking changes in minor versions it basically is not working.

Looking forward for any recommendation/fixes you could provide. If there will be no possibility to fix without breaking chnages, I would consider 2.0 version with dropping support for anything older than .NET Standard 2.0/.NET Framework 4.6.2/.NET8.

[StefH]

My plan is indeed to drop a lot of framework support.

Can you check this PR?
#1359

And validate if this could solve this issue?

[Kielek]

Unfortunately, I still need to maintain packages targeted to .NET Framework 4.6.2. It will be great to keep this support also by next 2 years. Then updating to 4.7.

I will check your changes shortly.

[StefH]

@Kielek
Could you check it?

[Kielek]

I reviewed your PR already #1359 (comment) and I do not see any new big changes in this PR. Am I missing something?

[Kielek]

I have dropped internally dependency on WireMock.NET. From my perspective it is no longer priority so closing it.