Security alerts on MQTTnet.AspNetCore

[milbrandt]

Describe the feature request

Analyzing our application with Mend.io revelated 4 security alerts by transitive libraries brought with MQTTnet.AspNetCore.

Library	Severity	Vulnerability
system.net.websockets.websocketprotocol.4.5.1	High	CVE-2019-0564
microsoft.aspnetcore.websockets.2.2.0	Medium	CVE-2019-0548
microsoft.aspnetcore.websockets.2.2.0	High	CVE-2019-0564
newtonsoft.json.11.0.2	High	CVE-2024-21907

Which project is your feature request related to?

MQTTnet.AspNetCore 4.3.3.952

Describe the solution you'd like

Upgrading required libraries in the NuGet spec. My temprorary workaround is to add the following package references to my project file:

<!-- Vulnerabilities in MQTTnet.AspNetCore 4.3.3.952 -->
<ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.WebSockets" Version="2.2.1" />
    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
    <PackageReference Include="System.Text.Encodings.Web" Version="8.0.0" />
</ItemGroup>

Describe alternatives you've considered

Upgrading higher level NuGets to fix the issues, as microsoft.aspnetcore.http.connections.1.1.0 depends on multiple of these libraries.

microsoft.aspnetcore.http.connections.1.1.0 -> microsoft.aspnetcore.websockets.2.2.0 -> system.net.websockets.websocketprotocol.4.5.1
microsoft.aspnetcore.http.connections.1.1.0 ->newtonsoft.json.11.0.2

Additional context

[SeppPenner]

We should maybe check these dependencies within the project itself.

With the following settings in the projects

<NoWarn>NU1803;NU1901;NU1902</NoWarn>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<NuGetAuditMode>all</NuGetAuditMode>
<NuGetAudit>true</NuGetAudit>

this can be checked automatically within Visual studio.

Explanation:

• <NoWarn>NU1803;NU1901;NU1902</NoWarn>:
  --> NU1803 suppresses errors if an internal NuGet feed is used without HTTPS (Guess, we don't need this here)
  --> NU1901 and NU1902 suppress package vulnerabilites with low impact (Might be useful if no patches are there yet?)

• <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
  --> Treats all warnings as errors which means that if a package dependency has security issues, the build will fail

• <NuGetAuditMode>all</NuGetAuditMode>
  --> Checks direct and transitive packages

• <NuGetAudit>true</NuGetAudit>
  --> Turns the audit mode off or on

@chkr1011 Just as an idea to get notified when such issues occur in the future. Read https://learn.microsoft.com/en-us/nuget/concepts/auditing-packages for detailed information.

[chkr1011]

Support for old versions is dropped in version 5 of the library so that the warnings will also disappear.
@SeppPenner Do you want to create the PR for version 5 so that we get errors when we have security issues?

[milbrandt]

Does dropping support mean, that there is no longer any possibility to use MQTTnet with net48 or netstandard2.0?
Unfortunately, this is one of our use cases the vendor of some hardware component (CNC control) only offers full framework libraries. And the hardware will still be several years (decades) used by our customers.
Only the latest hardware generation is now supported by .NET 5+.

.NET 48 as such will still be supported by Microsoft for several years, there is no end date announced yet https://learn.microsoft.com/en-us/lifecycle/products/microsoft-net-framework.