From 759c63a1867da361f904146feccf800197f7ea1e Mon Sep 17 00:00:00 2001
From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com>
Date: Wed, 28 Aug 2024 10:20:31 +0200
Subject: [PATCH 1/8] "Updated" SqlClient to 5.1.6
* Rather have 5.1 than 5.2 because 5.1 is LTS
* Fixes issue #544 (partly) and issue #552
---
Directory.Packages.props | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Directory.Packages.props b/Directory.Packages.props
index d7ed9123..0dd35b2f 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -11,7 +11,7 @@
-
+
@@ -28,4 +28,4 @@
-
\ No newline at end of file
+
From 6798ef637c93d090b1410c568c554a9435402a59 Mon Sep 17 00:00:00 2001
From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com>
Date: Wed, 28 Aug 2024 12:05:26 +0200
Subject: [PATCH 2/8] Fixed vulnerabilities by removing all System.* 4 versions
as recommended by Microsoft
(https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/#system-net-http-and-system-text-regularexpressions
Related issue: #544
---
Directory.Packages.props | 6 ------
.../Serilog.Sinks.MSSqlServer.Tests.csproj | 8 --------
2 files changed, 14 deletions(-)
diff --git a/Directory.Packages.props b/Directory.Packages.props
index 0dd35b2f..8869cf59 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -5,12 +5,6 @@
-
-
-
-
-
-
diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Serilog.Sinks.MSSqlServer.Tests.csproj b/test/Serilog.Sinks.MSSqlServer.Tests/Serilog.Sinks.MSSqlServer.Tests.csproj
index 296dcb72..828477ca 100644
--- a/test/Serilog.Sinks.MSSqlServer.Tests/Serilog.Sinks.MSSqlServer.Tests.csproj
+++ b/test/Serilog.Sinks.MSSqlServer.Tests/Serilog.Sinks.MSSqlServer.Tests.csproj
@@ -38,8 +38,6 @@
-
-
@@ -47,12 +45,6 @@
-
-
-
-
-
-
runtime; build; native; contentfiles; analyzers; buildtransitive
all
From 921d1e99882b694d0399894fa3fd7aaca5f93a8f Mon Sep 17 00:00:00 2001
From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com>
Date: Wed, 28 Aug 2024 12:09:09 +0200
Subject: [PATCH 3/8] Fixed vulnerability by updating xunit
* Fixed vulnerability by updating xunit to 2.9.0.
* Fixed new warnings in test code.
Related issue: #544
Related Work Items: #5
---
Directory.Packages.props | 4 +--
.../Sinks/MSSqlServer/MSSqlServerSinkTests.cs | 2 +-
.../Platform/SqlBulkBatchWriterTests.cs | 36 +++++++++----------
.../Platform/SqlInsertStatementWriterTests.cs | 2 +-
.../Sinks/MSSqlServer/SqlServerColumnTests.cs | 2 +-
5 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/Directory.Packages.props b/Directory.Packages.props
index 8869cf59..1a21d3fc 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -15,8 +15,8 @@
-
-
+
+
diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/MSSqlServerSinkTests.cs b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/MSSqlServerSinkTests.cs
index fa91f233..ca886b17 100644
--- a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/MSSqlServerSinkTests.cs
+++ b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/MSSqlServerSinkTests.cs
@@ -162,7 +162,7 @@ public async Task EmitBatchAsyncCallsSqlLogEventWriter()
});
// Act
- await _sut.EmitBatchAsync(logEvents).ConfigureAwait(false);
+ await _sut.EmitBatchAsync(logEvents);
// Assert
_sqlBulkBatchWriter.Verify(w => w.WriteBatch(It.IsAny>(), _dataTable), Times.Once);
diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlBulkBatchWriterTests.cs b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlBulkBatchWriterTests.cs
index d7d83a4f..2de6712e 100644
--- a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlBulkBatchWriterTests.cs
+++ b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlBulkBatchWriterTests.cs
@@ -72,7 +72,7 @@ public async Task WriteBatchCallsLogEventDataGeneratorGetColumnsAndValuesForEach
var logEvents = CreateLogEvents();
// Act
- await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false);
+ await _sut.WriteBatch(logEvents, _dataTable);
// Assert
_logEventDataGeneratorMock.Verify(c => c.GetColumnsAndValues(logEvents[0]), Times.Once);
@@ -86,7 +86,7 @@ public async Task WriteBatchCallsSqlConnectionFactoryCreate()
var logEvents = CreateLogEvents();
// Act
- await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false);
+ await _sut.WriteBatch(logEvents, _dataTable);
// Assert
_sqlConnectionFactoryMock.Verify(f => f.Create(), Times.Once);
@@ -99,7 +99,7 @@ public async Task WriteBatchCallsSqlConnectionWrapperOpenAsync()
var logEvents = CreateLogEvents();
// Act
- await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false);
+ await _sut.WriteBatch(logEvents, _dataTable);
// Assert
_sqlConnectionWrapperMock.Verify(c => c.OpenAsync(), Times.Once);
@@ -113,7 +113,7 @@ public async Task WriteBatchCallsSqlConnectionWrappeCreateSqlBulkCopy()
var expectedDestinationTableName = string.Format(CultureInfo.InvariantCulture, "[{0}].[{1}]", _schemaName, _tableName);
// Act
- await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false);
+ await _sut.WriteBatch(logEvents, _dataTable);
// Assert
_sqlConnectionWrapperMock.Verify(c => c.CreateSqlBulkCopy(false, expectedDestinationTableName), Times.Once);
@@ -128,7 +128,7 @@ public async Task WriteBatchCallsSqlConnectionWrappeCreateSqlBulkCopyWithDisable
var sut = new SqlBulkBatchWriter(_tableName, _schemaName, true, _sqlConnectionFactoryMock.Object, _logEventDataGeneratorMock.Object);
// Act
- await sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false);
+ await sut.WriteBatch(logEvents, _dataTable);
// Assert
_sqlConnectionWrapperMock.Verify(c => c.CreateSqlBulkCopy(true, expectedDestinationTableName), Times.Once);
@@ -145,7 +145,7 @@ public async Task WriteBatchCallsSqlBulkCopyWrapperAddSqlBulkCopyColumnMappingFo
_dataTable.Columns.Add(new DataColumn(column2Name));
// Act
- await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false);
+ await _sut.WriteBatch(logEvents, _dataTable);
// Assert
_sqlBulkCopyWrapper.Verify(c => c.AddSqlBulkCopyColumnMapping(column1Name, column1Name), Times.Once);
@@ -159,7 +159,7 @@ public async Task WriteBatchCallsSqlBulkCopyWrapperWriteToServerAsync()
var logEvents = CreateLogEvents();
// Act
- await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false);
+ await _sut.WriteBatch(logEvents, _dataTable);
// Assert
_sqlBulkCopyWrapper.Verify(c => c.WriteToServerAsync(_dataTable), Times.Once);
@@ -172,14 +172,14 @@ public async Task WriteBatchClearsDataTable()
var logEvents = CreateLogEvents();
// Act
- await _sut.WriteBatch(logEvents, _dataTable).ConfigureAwait(false);
+ await _sut.WriteBatch(logEvents, _dataTable);
// Assert
Assert.Empty(_dataTable.Rows);
}
[Fact]
- public void WriteBatchRethrowsIfLogEventDataGeneratorMockGetColumnsAndValuesThrows()
+ public async Task WriteBatchRethrowsIfLogEventDataGeneratorMockGetColumnsAndValuesThrows()
{
// Arrange
_logEventDataGeneratorMock.Setup(d => d.GetColumnsAndValues(It.IsAny()))
@@ -187,33 +187,33 @@ public void WriteBatchRethrowsIfLogEventDataGeneratorMockGetColumnsAndValuesThro
var logEvents = CreateLogEvents();
// Act + assert
- Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable));
+ await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable));
}
[Fact]
- public void WriteBatchRethrowsIfSqlConnectionFactoryCreateThrows()
+ public async Task WriteBatchRethrowsIfSqlConnectionFactoryCreateThrows()
{
// Arrange
_sqlConnectionFactoryMock.Setup(f => f.Create()).Callback(() => throw new InvalidOperationException());
var logEvents = CreateLogEvents();
// Act + assert
- Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable));
+ await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable));
}
[Fact]
- public void WriteBatchRethrowsIfSqlConnectionOpenAsyncThrows()
+ public async Task WriteBatchRethrowsIfSqlConnectionOpenAsyncThrows()
{
// Arrange
_sqlConnectionWrapperMock.Setup(c => c.OpenAsync()).Callback(() => throw new InvalidOperationException());
var logEvents = CreateLogEvents();
// Act + assert
- Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable));
+ await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable));
}
[Fact]
- public void WriteBatchRethrowsIfSqlBulkCopyWriterAddSqlBulkCopyColumnMappingThrows()
+ public async Task WriteBatchRethrowsIfSqlBulkCopyWriterAddSqlBulkCopyColumnMappingThrows()
{
// Arrange
_sqlBulkCopyWrapper.Setup(c => c.AddSqlBulkCopyColumnMapping(It.IsAny(), It.IsAny()))
@@ -222,11 +222,11 @@ public void WriteBatchRethrowsIfSqlBulkCopyWriterAddSqlBulkCopyColumnMappingThro
_dataTable.Columns.Add(new DataColumn("ColumnName"));
// Act + assert
- Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable));
+ await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable));
}
[Fact]
- public void WriteBatchRethrowsIfSqlBulkCopyWriterWriteToServerAsyncThrows()
+ public async Task WriteBatchRethrowsIfSqlBulkCopyWriterWriteToServerAsyncThrows()
{
// Arrange
_sqlBulkCopyWrapper.Setup(c => c.WriteToServerAsync(It.IsAny()))
@@ -234,7 +234,7 @@ public void WriteBatchRethrowsIfSqlBulkCopyWriterWriteToServerAsyncThrows()
var logEvents = CreateLogEvents();
// Act + assert
- Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable));
+ await Assert.ThrowsAsync(() => _sut.WriteBatch(logEvents, _dataTable));
}
private static List CreateLogEvents()
diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlInsertStatementWriterTests.cs b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlInsertStatementWriterTests.cs
index dac3704b..34e9d9db 100644
--- a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlInsertStatementWriterTests.cs
+++ b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/Platform/SqlInsertStatementWriterTests.cs
@@ -192,7 +192,7 @@ public async Task WriteBatchCallsLogEventDataGeneratorGetColumnsAndValuesForEach
var logEvents = CreateLogEvents();
// Act
- await _sut.WriteBatch(logEvents).ConfigureAwait(false);
+ await _sut.WriteBatch(logEvents);
// Assert
_logEventDataGeneratorMock.Verify(c => c.GetColumnsAndValues(logEvents[0]), Times.Once);
diff --git a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/SqlServerColumnTests.cs b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/SqlServerColumnTests.cs
index c1f5526c..a06eb028 100644
--- a/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/SqlServerColumnTests.cs
+++ b/test/Serilog.Sinks.MSSqlServer.Tests/Sinks/MSSqlServer/SqlServerColumnTests.cs
@@ -33,7 +33,7 @@ public void StoresPropertyName()
// Assert
Assert.Equal(propertyName, sut.PropertyName);
- Assert.Equal(1, sut.PropertyNameHierarchy.Count);
+ Assert.Single(sut.PropertyNameHierarchy);
Assert.Equal(propertyName, sut.PropertyNameHierarchy[0]);
Assert.False(sut.HasHierarchicalPropertyName);
}
From 652ac19938acfdc4b7de3e9b699f4856c58f4a2d Mon Sep 17 00:00:00 2001
From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com>
Date: Wed, 28 Aug 2024 12:11:31 +0200
Subject: [PATCH 4/8] Fixed vulnerability
https://github.com/advisories/GHSA-xhfc-gr8f-ffwc
Fixed vulnerability by directly referencing transitive dependency System.Private.Uri (https://github.com/advisories/GHSA-xhfc-gr8f-ffwc)
Related issue: #544
---
Directory.Packages.props | 1 +
1 file changed, 1 insertion(+)
diff --git a/Directory.Packages.props b/Directory.Packages.props
index 1a21d3fc..79f80372 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -5,6 +5,7 @@
+
From 862bb6ac3c6495866cf9267650bfbab82c9a080d Mon Sep 17 00:00:00 2001
From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com>
Date: Wed, 28 Aug 2024 12:12:38 +0200
Subject: [PATCH 5/8] Fixed vulnerability
https://github.com/advisories/GHSA-447r-wph3-92pm
Fixed vulnerability by directly referencing transitive dependency System.Formats.Asn1 (https://github.com/advisories/GHSA-447r-wph3-92pm)
Related issue: #544
---
Directory.Packages.props | 43 ++++++++++++++++++++--------------------
1 file changed, 22 insertions(+), 21 deletions(-)
diff --git a/Directory.Packages.props b/Directory.Packages.props
index 79f80372..1ffb3099 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -1,26 +1,27 @@
-
- true
-
-
-
-
+
+ true
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
+
+
+
+
+
From 04ad485d28f5367ac4ab5944e045cb97474ce0f2 Mon Sep 17 00:00:00 2001
From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com>
Date: Wed, 28 Aug 2024 12:13:49 +0200
Subject: [PATCH 6/8] * Fixed vulnerability by directly referencing transitive
dependency System.Formats.Asn1
(https://github.com/advisories/GHSA-447r-wph3-92pm, issue #544) * Fixed
vulnerability by directly referencing transitive dependency
System.Private.Uri (https://github.com/advisories/GHSA-xhfc-gr8f-ffwc, issue
#544)
---
src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj b/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj
index 11ac0f6f..74b70748 100644
--- a/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj
+++ b/src/Serilog.Sinks.MSSqlServer/Serilog.Sinks.MSSqlServer.csproj
@@ -38,6 +38,8 @@
+
+
From 30254fd7748e8cd10879821e830ff9183302bbd5 Mon Sep 17 00:00:00 2001
From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com>
Date: Wed, 28 Aug 2024 12:14:26 +0200
Subject: [PATCH 7/8] Activated NuGet Audit for high and critical
vulnerabilities in direct and transitive dependencies for all projects
(https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/)
Related issue: #544
---
Directory.Build.props | 7 +++++++
serilog-sinks-mssqlserver.sln | 1 +
2 files changed, 8 insertions(+)
create mode 100644 Directory.Build.props
diff --git a/Directory.Build.props b/Directory.Build.props
new file mode 100644
index 00000000..f35cc248
--- /dev/null
+++ b/Directory.Build.props
@@ -0,0 +1,7 @@
+
+
+ all
+ high
+ true
+
+
diff --git a/serilog-sinks-mssqlserver.sln b/serilog-sinks-mssqlserver.sln
index 37e4c25b..ef9178ee 100644
--- a/serilog-sinks-mssqlserver.sln
+++ b/serilog-sinks-mssqlserver.sln
@@ -24,6 +24,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
.editorconfig = .editorconfig
Build.ps1 = Build.ps1
CHANGES.md = CHANGES.md
+ Directory.Build.props = Directory.Build.props
Directory.Packages.props = Directory.Packages.props
.github\ISSUE_TEMPLATE.md = .github\ISSUE_TEMPLATE.md
.github\workflows\pr-analysis-codeql.yml = .github\workflows\pr-analysis-codeql.yml
From eda07865a0a1897004b6cb7907b4662435bd0cce Mon Sep 17 00:00:00 2001
From: Christian Kadluba <10721825+ckadluba@users.noreply.github.com>
Date: Wed, 28 Aug 2024 12:15:04 +0200
Subject: [PATCH 8/8] Updated CHANGES.md
---
CHANGES.md | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/CHANGES.md b/CHANGES.md
index 67aa9c9c..e197a710 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,3 +1,11 @@
+# 6.7.1
+* Fixed issue #552 by downgrading SqlClient dependency to 5.1.6 which is LTS and fixed the vulnerabilities referenced in issue #544
+* Fixed vulnerabilities by removing all System.* 4 versions as recommended by Microsoft (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/#system-net-http-and-system-text-regularexpressions, issue #544)
+* Fixed vulnerability by updating xunit to 2.9.0 (issue #544)
+* Fixed vulnerability by directly referencing transitive dependency System.Formats.Asn1 (https://github.com/advisories/GHSA-447r-wph3-92pm, issue #544)
+* Fixed vulnerability by directly referencing transitive dependency System.Private.Uri (https://github.com/advisories/GHSA-xhfc-gr8f-ffwc, issue #544)
+* Activated NuGet Audit for high and critical vulnerabilities in direct and transitive dependencies for all projects (https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/)
+
# 6.7.0
* Fixed some of the vulnerabilities referenced in issue #544 by updating SqlClient dependency to 5.2.1
* Update codeql-action to v3 before deprecation