Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQ] Document which azure-identity dependencies are optional #18733

Closed
2 tasks done
knutwannheden opened this issue Jan 21, 2021 · 5 comments
Closed
2 tasks done

[FEATURE REQ] Document which azure-identity dependencies are optional #18733

knutwannheden opened this issue Jan 21, 2021 · 5 comments
Assignees
@g2vinay
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. Docs question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
[2021] February

Comments

@knutwannheden
Copy link

Is your feature request related to a problem? Please describe.
The current azure-identity artifact has some dependencies which will typically only be used at build time. For instance there is a dependency on org.linguafranca.pwdb:KeePassJava2 which is used by the IntelliJCredential implementation. For our production deployment we don't want to pull in this dependency. One reason being is that it transitively depends on org.simpleframework:simple-xml:jar:2.7.1 which has a CVE (see https://nvd.nist.gov/vuln/detail/CVE-2017-1000190). But it also pulls in some other heavy-weight dependencies.

The same may be true for other implementations like VisualStudioCodeCredential.

Describe the solution you'd like
At the very least I would like the documentation to describe which dependencies are only tied to specific non-essential features (like for example IntelliJCredential) and that it is safe to exclude them if this feature is not required. Also it should be documented how to exclude the dependencies.

Describe alternatives you've considered
Alternatives would be to declare the dependencies as optional and document that they must be provided by the client application.

Yet another possibility would be to provide separate Maven artifacts for the various use cases.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Description Added
  • Expected solution specified
@ghost ghost added needs-triage This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 21, 2021
@joshfree joshfree added Azure.Identity Client This issue points to a problem in the data-plane of the library. Docs labels Jan 26, 2021
@ghost ghost removed the needs-triage This is a new issue that needs to be triaged to the appropriate team. label Jan 26, 2021
@joshfree joshfree added this to the [2021] February milestone Jan 26, 2021
@joshfree
Copy link
Member

Thanks for filing this issue @knutwannheden. We can improve the documentation to make the optional dependencies more clear. @g2vinay can you please follow up?

@knutwannheden
Copy link
Author

AFAICT the dependencies are not declared as optional in the Maven module, so perhaps a hint at how to exclude them using the corresponding Maven mechanism would also make sense.

@jylipaa
Copy link

jylipaa commented Feb 11, 2021

This CVE has been open since 2017 and get's CVSS score 9.1 CRITICAL.

Documentation regarding how to avoid getting this dependency is a good start, but wouldn't it be better to fix the issue?

@janitorr
Copy link

Since the org.linguafranca.pwdb:KeePassJava2 is used by IntelliJCredential
We managed to get around this by using ManagedIdentityCredentialBuilder instead of DefaultIdentityBuilder on deployement.

@g2vinay g2vinay mentioned this issue Apr 2, 2021
Merged
@g2vinay
Copy link
Member

g2vinay commented May 6, 2021

@knutwannheden

Thanks for your request.
The optional dependencies have been documented and released in the latest release.

<dependency>
  <groupId>com.azure</groupId>
  <artifactId>azure-identity</artifactId>
  <version>1.2.5</version>
</dependency>

In general, we are working to drop the Kee Pass dependency in one of our upcoming releases.
Thanks.

let us know if you need any further assistance.

@g2vinay g2vinay closed this as completed May 6, 2021
@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@g2vinay g2vinay

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. Docs question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
[2021] February
Development

No branches or pull requests
5 participants
@knutwannheden @joshfree @jylipaa @g2vinay @janitorr