From 83fba666b18a5894c0f74e05c558d3a3a2de17aa Mon Sep 17 00:00:00 2001 From: Gonzalo Diaz Date: Thu, 11 Jul 2024 09:38:13 -0400 Subject: [PATCH 1/2] [CONFIG] [Github-Actions] Snyk Open Source. Modified. Sarif output enabled. --- .github/workflows/{dotnet-snyk.yml => snyk-code.yml} | 11 +++++++++++ 1 file changed, 11 insertions(+) rename .github/workflows/{dotnet-snyk.yml => snyk-code.yml} (70%) diff --git a/.github/workflows/dotnet-snyk.yml b/.github/workflows/snyk-code.yml similarity index 70% rename from .github/workflows/dotnet-snyk.yml rename to .github/workflows/snyk-code.yml index f338cb2..1fcc10e 100644 --- a/.github/workflows/dotnet-snyk.yml +++ b/.github/workflows/snyk-code.yml @@ -16,6 +16,10 @@ on: # yamllint disable-line rule:truthy jobs: security: runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write steps: - uses: actions/checkout@master - uses: snyk/actions/setup@master @@ -26,9 +30,16 @@ jobs: - name: Restore dependencies run: dotnet restore algorithm-exercises-csharp.sln - name: Run Snyk to check for vulnerabilities + continue-on-error: true # To make sure that SARIF upload gets called run: > snyk test algorithm-exercises-csharp/ + algorithm-exercises-csharp-base/ algorithm-exercises-csharp-test/ + --sarif-file-output=snyk-code.sarif env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk-code.sarif From 02484ab6ee403267ebb3cdc56af2afad55cf21e3 Mon Sep 17 00:00:00 2001 From: Gonzalo Diaz Date: Thu, 11 Jul 2024 10:21:33 -0400 Subject: [PATCH 2/2] [SECURITY] [CONFIG] [.NET] [Nuget] Vulnerability fixed. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTJSON-7433719] in System.Text.Json@8.0.0 introduced by Microsoft.Extensions.Logging.Console@8.0.0 > System.Text.Json@8.0.0 This issue was fixed in versions: 8.0.4 --- .../algorithm-exercises-csharp-base.csproj | 1 + 1 file changed, 1 insertion(+) diff --git a/algorithm-exercises-csharp-base/algorithm-exercises-csharp-base.csproj b/algorithm-exercises-csharp-base/algorithm-exercises-csharp-base.csproj index 1fa1884..418d63c 100644 --- a/algorithm-exercises-csharp-base/algorithm-exercises-csharp-base.csproj +++ b/algorithm-exercises-csharp-base/algorithm-exercises-csharp-base.csproj @@ -25,6 +25,7 @@ +