Fix vulnerability found in Microsoft.AspNetCore dependency #295

New Issue

adam · 2025-12-29T08:25:39+01:00

adam commented

2025-12-29 08:25:39 +01:00

Originally created by @APIWT on GitHub (Sep 28, 2020).

Originally assigned to: @StefH on GitHub.

Is your feature request related to a problem? Please describe.
Our application is scanned with Snyk, and the results of the scan have this popping up:

✗ High severity vulnerability found in Microsoft.AspNetCore
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORE-174184
  Introduced through: WireMock.Net@1.2.18
  From: WireMock.Net@1.2.18 > Microsoft.AspNetCore@2.2.0

Describe the solution you'd like
My guess is that it would be possible to get rid of the dependency on Microsoft.AspNetCore for projects targeting netcoreapp3.1 (though honestly this isn't my area of expertise.

Describe alternatives you've considered
I could likely suppress this warning since we only use WireMock.Net in our test projects, but I don't know if I can get our customer to buy in on this.

Additional context
I really appreciate any help or consideration here!

Originally created by @APIWT on GitHub (Sep 28, 2020). Originally assigned to: @StefH on GitHub. **Is your feature request related to a problem? Please describe.** Our application is scanned with Snyk, and the results of the scan have this popping up: ``` ✗ High severity vulnerability found in Microsoft.AspNetCore Description: Denial of Service (DoS) Info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORE-174184 Introduced through: WireMock.Net@1.2.18 From: WireMock.Net@1.2.18 > Microsoft.AspNetCore@2.2.0 ``` **Describe the solution you'd like** My guess is that it would be possible to get rid of the dependency on `Microsoft.AspNetCore` for projects targeting `netcoreapp3.1` (though honestly this isn't my area of expertise. **Describe alternatives you've considered** I could likely suppress this warning since we only use `WireMock.Net` in our test projects, but I don't know if I can get our customer to buy in on this. **Additional context** I really appreciate any help or consideration here!

adam added the feature label 2025-12-29 08:25:39 +01:00

adam closed this issue

2025-12-29 08:25:40 +01:00

adam commented

2025-12-29 08:25:40 +01:00

@StefH commented on GitHub (Sep 28, 2020):

Hello @APIWT,
I see that WhiteSource also describes the same issue:

I'll take a look on how to fix this.

@StefH commented on GitHub (Sep 28, 2020): Hello @APIWT, I see that WhiteSource also describes the same issue: ![image](https://user-images.githubusercontent.com/249938/94450593-bd30e400-01ad-11eb-8f53-6fea29259886.png) I'll take a look on how to fix this.

adam commented

2025-12-29 08:25:40 +01:00

@APIWT commented on GitHub (Sep 28, 2020):

Thanks @StefH! Please let me know if there is anything I can do to help.

@APIWT commented on GitHub (Sep 28, 2020): Thanks @StefH! Please let me know if there is anything I can do to help.

adam commented

2025-12-29 08:25:41 +01:00

@StefH commented on GitHub (Sep 28, 2020):

Can you try WireMock.Net.1.3.0-ci-13770 from MyGet ? (https://github.com/WireMock-Net/WireMock.Net/wiki/MyGet-preview-versions)

@StefH commented on GitHub (Sep 28, 2020): Can you try WireMock.Net.1.3.0-ci-13770 from MyGet ? (https://github.com/WireMock-Net/WireMock.Net/wiki/MyGet-preview-versions)

adam commented

2025-12-29 08:25:41 +01:00

@APIWT commented on GitHub (Sep 28, 2020):

I think I may be doing something silly, but I am getting an error in the restore step. Here is my nuget.config:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <packageSources>
        <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
        <add key="MyGet" value="https://www.myget.org/F/wiremock-net/api/v3/index.json" />
    </packageSources>
</configuration>

Here is the restore error:

error NU1102: Unable to find package WireMock.Net with version (= 1.3.0-ci-13770)

@APIWT commented on GitHub (Sep 28, 2020): I think I may be doing something silly, but I am getting an error in the restore step. Here is my `nuget.config`: ``` <?xml version="1.0" encoding="utf-8"?> <configuration> <packageSources> <add key="NuGet" value="https://api.nuget.org/v3/index.json" /> <add key="MyGet" value="https://www.myget.org/F/wiremock-net/api/v3/index.json" /> </packageSources> </configuration> ``` Here is the restore error: ``` error NU1102: Unable to find package WireMock.Net with version (= 1.3.0-ci-13770) ```

adam commented

2025-12-29 08:25:41 +01:00

@APIWT commented on GitHub (Sep 28, 2020):

@StefH So I figured out the restore issue. Here are the two vulnerabilities that appear when I use the preview release:

✗ Medium severity vulnerability found in Microsoft.AspNetCore.Server.IIS
  Description: Open Redirect
  Info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORESERVERIIS-451561
  Introduced through: WireMock.Net@1.3.0-ci-13770
  From: WireMock.Net@1.3.0-ci-13770 > Microsoft.AspNetCore@2.2.0 > Microsoft.AspNetCore.Server.IIS@2.2.0
  Fixed in: 2.2.6

✗ High severity vulnerability found in Microsoft.AspNetCore
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORE-174184
  Introduced through: WireMock.Net@1.3.0-ci-13770
  From: WireMock.Net@1.3.0-ci-13770 > Microsoft.AspNetCore@2.2.0

@APIWT commented on GitHub (Sep 28, 2020): @StefH So I figured out the restore issue. Here are the two vulnerabilities that appear when I use the preview release: ``` ✗ Medium severity vulnerability found in Microsoft.AspNetCore.Server.IIS Description: Open Redirect Info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORESERVERIIS-451561 Introduced through: WireMock.Net@1.3.0-ci-13770 From: WireMock.Net@1.3.0-ci-13770 > Microsoft.AspNetCore@2.2.0 > Microsoft.AspNetCore.Server.IIS@2.2.0 Fixed in: 2.2.6 ✗ High severity vulnerability found in Microsoft.AspNetCore Description: Denial of Service (DoS) Info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORE-174184 Introduced through: WireMock.Net@1.3.0-ci-13770 From: WireMock.Net@1.3.0-ci-13770 > Microsoft.AspNetCore@2.2.0 ```

adam commented

2025-12-29 08:25:42 +01:00

@StefH commented on GitHub (Sep 28, 2020):

1] Should be fixed, please install new MyGet version (can take a few minutes to build and to become available...)

2]
https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORE-174184
Remediation
There is no fixed version for Microsoft.AspNetCore.

@StefH commented on GitHub (Sep 28, 2020): 1] Should be fixed, please install new MyGet version (can take a few minutes to build and to become available...) 2] https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORE-174184 Remediation **There is no fixed version for Microsoft.AspNetCore.**

adam commented

2025-12-29 08:25:42 +01:00

@APIWT commented on GitHub (Sep 28, 2020):

Hey again! For number 2, I think it is possible to fix this for applications targetting netcoreapp3.1 which use the Microsoft.NET.Sdk.Web SDK. These do not actually need to use Microsoft.AspNetCore as far as I can tell. Does that make sense? The Microsoft.AspNetCore package is end of life.,

@APIWT commented on GitHub (Sep 28, 2020): Hey again! For number 2, I think it is possible to fix this for applications targetting netcoreapp3.1 which use the `Microsoft.NET.Sdk.Web` SDK. These do not actually need to use `Microsoft.AspNetCore` as far as I can tell. Does that make sense? The `Microsoft.AspNetCore` package is end of life.,

adam commented

2025-12-29 08:25:42 +01:00

@APIWT commented on GitHub (Sep 28, 2020):

Here is some supporting documentation if it helps: https://docs.microsoft.com/en-us/aspnet/core/migration/22-to-30?view=aspnetcore-3.1&tabs=visual-studio#remove-obsolete-package-references

@APIWT commented on GitHub (Sep 28, 2020): Here is some supporting documentation if it helps: https://docs.microsoft.com/en-us/aspnet/core/migration/22-to-30?view=aspnetcore-3.1&tabs=visual-studio#remove-obsolete-package-references

adam commented

2025-12-29 08:25:42 +01:00

@StefH commented on GitHub (Sep 28, 2020):

Can you test if item 1] is solved?

About item 2:
Maybe adding a new target with .NET Core 3.1 could solve it, however I don't know yet the replacement for Microsoft.AspNetCore. I'll need to take a look....

@StefH commented on GitHub (Sep 28, 2020): Can you test if item `1]` is solved? About item 2: Maybe adding a new target with .NET Core 3.1 could solve it, however I don't know yet the replacement for Microsoft.AspNetCore. I'll need to take a look....

adam commented

2025-12-29 08:25:43 +01:00

@StefH commented on GitHub (Sep 29, 2020):

For now, I think the best I could do, is done now.

In case you want to use WireMock in a NetCoreApp 3.1 hosted application, I think the best way to move forward is to follow this idea : https://github.com/WireMock-Net/WireMock.Net/issues/498

What do you think about that?

@StefH commented on GitHub (Sep 29, 2020): For now, I think the best I could do, is done now. In case you want to use WireMock in a NetCoreApp 3.1 hosted application, I think the best way to move forward is to follow this idea : https://github.com/WireMock-Net/WireMock.Net/issues/498 What do you think about that?

adam commented

2025-12-29 08:25:43 +01:00

@StefH commented on GitHub (Sep 29, 2020):

@APIWT Is it ok that I close this issue and create a new NuGet?

@StefH commented on GitHub (Sep 29, 2020): @APIWT Is it ok that I close this issue and create a new NuGet?

adam commented

2025-12-29 08:25:43 +01:00

@APIWT commented on GitHub (Sep 29, 2020):

Sure! It is funny that you mention that approach, we do something similar for a mobile app.

@APIWT commented on GitHub (Sep 29, 2020): Sure! It is funny that you mention that approach, we do something similar for a mobile app.

adam commented

2025-12-29 08:25:44 +01:00

@StefH commented on GitHub (Sep 29, 2020):

OK, Please keep a watch on #498 and add a comment if needed.

@StefH commented on GitHub (Sep 29, 2020): OK, Please keep a watch on #498 and add a comment if needed.

adam commented

2025-12-29 08:25:44 +01:00

@APIWT commented on GitHub (Sep 29, 2020):

@StefH Good news, I think I may have a possible solution that doesn't require removing the wire portion of WireMock.Net :)

I was able to add netcoreapp3.0;netcoreapp3.1 to <TargetFrameworks> inside the csproj.

Next, I changed:
<PropertyGroup Condition="'$(TargetFramework)' == 'netcoreapp2.1' or '$(TargetFramework)' == 'netcoreapp2.2'">

To:
<PropertyGroup Condition="'$(TargetFramework)' == 'netcoreapp2.1' or '$(TargetFramework)' == 'netcoreapp2.2' or '$(TargetFramework)' == 'netcoreapp3.0' or '$(TargetFramework)' == 'netcoreapp3.1'">

Then I added the following ItemGroup:

  <ItemGroup Condition=" '$(TargetFramework)' == 'netcoreapp3.0' or '$(TargetFramework)' == 'netcoreapp3.1'">
    <FrameworkReference Include="Microsoft.AspNetCore.App" />
    <!-- https://github.com/WireMock-Net/WireMock.Net/issues/448 -->
    <PackageReference Include="CS-Script.Core" Version="1.3.1" />
  </ItemGroup>

The magic here is that I use a FrameworkReference instead of the PackageReference stuff for Microsoft.AspNetCore.

Lastly, I needed to make a minor tweak to HttpClientHandler in CreateHttpClient. I changed:
#if NETSTANDARD

To:
#if NETSTANDARD || USE_ASPNETCORE

This seems to allow me to target netcoreapp3.0 and netcoreapp3.1 without an underlying reference to the Microsoft.AspNetCore* packages.

Is this something that we could potentially see in a future release?

@APIWT commented on GitHub (Sep 29, 2020): @StefH Good news, I think I may have a possible solution that doesn't require removing the wire portion of WireMock.Net :) I was able to add `netcoreapp3.0;netcoreapp3.1` to `<TargetFrameworks>` inside the csproj. Next, I changed: `<PropertyGroup Condition="'$(TargetFramework)' == 'netcoreapp2.1' or '$(TargetFramework)' == 'netcoreapp2.2'">` To: `<PropertyGroup Condition="'$(TargetFramework)' == 'netcoreapp2.1' or '$(TargetFramework)' == 'netcoreapp2.2' or '$(TargetFramework)' == 'netcoreapp3.0' or '$(TargetFramework)' == 'netcoreapp3.1'">` Then I added the following ItemGroup: ``` <ItemGroup Condition=" '$(TargetFramework)' == 'netcoreapp3.0' or '$(TargetFramework)' == 'netcoreapp3.1'"> <FrameworkReference Include="Microsoft.AspNetCore.App" />  <PackageReference Include="CS-Script.Core" Version="1.3.1" /> </ItemGroup> ``` The magic here is that I use a `FrameworkReference` instead of the `PackageReference` stuff for `Microsoft.AspNetCore`. Lastly, I needed to make a minor tweak to `HttpClientHandler` in `CreateHttpClient`. I changed: `#if NETSTANDARD` To: `#if NETSTANDARD || USE_ASPNETCORE` This seems to allow me to target netcoreapp3.0 and netcoreapp3.1 without an underlying reference to the `Microsoft.AspNetCore*` packages. Is this something that we could potentially see in a future release?

adam commented

2025-12-29 08:25:44 +01:00

@StefH commented on GitHub (Sep 29, 2020):

You can make PR for this.

@StefH commented on GitHub (Sep 29, 2020): You can make PR for this.

adam commented

2025-12-29 08:25:44 +01:00

@APIWT commented on GitHub (Sep 30, 2020):

Great news, I just tried out CI build 13791 and Snyk is very happy :)

I really appreciate your help.

@APIWT commented on GitHub (Sep 30, 2020): Great news, I just tried out CI build 13791 and Snyk is very happy :) I really appreciate your help.

adam referenced this issue

2025-12-29 08:33:44 +01:00

[PR #297] [MERGED] FixNullRef (#295) #843

Sign in to join this conversation.

Branches Tags

master

mime-part-matcher

version-2.x

MappingSerializer

1341-mapping-json

stef-aspire-tests-updates

bug/973-TinyMapper

bug/1149-AppendGuidToSavedMappingFile

feature/1150-DockerImageVersion

61

stef-1108

stef-1097

stef-1083-MessageOptions_Type_Conflict

stef-1062-logger

stef-IgnoreOpenApiErrors

stef-928-TypeLoadException-FluentAssertions-net472

nunit

stef-849

stef-847-regex-questionmark

http_verb

WireMockServerContext

webapp

ai

CommandLineArgumentsParser

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/WireMock.Net#295