Skip to content

fix: Patch security vulnerabilities - Remove AutoMapper (GHSA-rvv3-g6hj-g44x), fix System.Text.RegularExpressions CVE, remove ASP.NET Core 2.2 EOL packages#2740

Merged
tomkerkhove merged 1 commit into
tomkerkhove:masterfrom
Krishna-Chaitanya4:fix/automapper-vulnerability-upgrade
Mar 27, 2026
Merged

Conversation

@Krishna-Chaitanya4
Copy link
Copy Markdown
Contributor

@Krishna-Chaitanya4 Krishna-Chaitanya4 commented Mar 19, 2026
edited
Loading

Summary

Patches multiple security vulnerabilities flagged by scanners.

Vulnerabilities Fixed

Vulnerability Package Severity Fix
GHSA-rvv3-g6hj-g44x AutoMapper 12.0.1 High Removed - replaced with hand-written V1ConfigurationMapper
GHSA-cmhx-cq75-c4mj System.Text.RegularExpressions 4.3.0 High Pinned to 4.3.1 in 12 projects
EOL packages Microsoft.AspNetCore.Mvc 2.2.0, Microsoft.AspNetCore.Mvc.Formatters.Json 2.2.0 Scanner flag Replaced with FrameworkReference to Microsoft.AspNetCore.App

Changes

AutoMapper Removal (GHSA-rvv3-g6hj-g44x)

  • Removed AutoMapper 12.0.1 and AutoMapper.Extensions.Microsoft.DependencyInjection from Scraper, Core.Scraping, and Tests.Unit
  • Created V1ConfigurationMapper - hand-written mapper with dictionary-based resource type dispatch, replacing V1MappingProfile
  • Deleted V1MappingProfile.cs and AutoMapperTests.cs
  • Updated Startup.cs, ConfigurationSerializer.cs, and all test files to use V1ConfigurationMapper

System.Text.RegularExpressions CVE (GHSA-cmhx-cq75-c4mj)

  • Pinned System.Text.RegularExpressions to 4.3.1 in 12 affected .csproj files

ASP.NET Core 2.2 EOL Packages

  • Removed Microsoft.AspNetCore.Mvc 2.2.0 and Microsoft.AspNetCore.Mvc.Formatters.Json 2.2.0
  • Added FrameworkReference to Microsoft.AspNetCore.App (standard .NET 8 pattern for class libraries)

Other

  • Removed deprecated DotNetCliToolReference for CodeGeneration.Tools 2.0.4
  • Removed UTF-8 BOM from Dockerfile.linux files
  • Updated RuntimeFrameworkVersion 8.0.24 to 8.0.25, Docker base images to 8.0.25

Verification

  • Build: 0 errors, 0 warnings
  • Vulnerability scan: No vulnerable packages found (dotnet list package --vulnerable --include-transitive)
  • Docker build: Both Scraper and ResourceDiscovery images build successfully
  • Unit tests: 1542 passed, 0 failed

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 19, 2026

Thank you for your contribution! 🙏 We will review it as soon as possible.

@Krishna-Chaitanya4 Krishna-Chaitanya4 force-pushed the fix/automapper-vulnerability-upgrade branch 3 times, most recently from ea01ca5 to 841b989 Compare March 24, 2026 15:43
@Krishna-Chaitanya4 Krishna-Chaitanya4 changed the title fix: Upgrade AutoMapper 12.0.1 to 15.1.3 to resolve high severity vulnerability GHSA-rvv3-g6hj-g44x fix: Remove AutoMapper dependency to resolve high severity vulnerability GHSA-rvv3-g6hj-g44x Mar 24, 2026
@Krishna-Chaitanya4 Krishna-Chaitanya4 force-pushed the fix/automapper-vulnerability-upgrade branch 5 times, most recently from 9636c42 to c0473c9 Compare March 26, 2026 09:48
@Krishna-Chaitanya4 Krishna-Chaitanya4 changed the title fix: Remove AutoMapper dependency to resolve high severity vulnerability GHSA-rvv3-g6hj-g44x fix: Patch security vulnerabilities - Remove AutoMapper (GHSA-rvv3-g6hj-g44x), fix System.Text.RegularExpressions CVE, remove ASP.NET Core 2.2 EOL packages Mar 26, 2026
@Krishna-Chaitanya4
fix: Patch security vulnerabilities - AutoMapper removal, System.Text…
8552d12 
….RegularExpressions CVE, ASP.NET Core 2.2 EOL, Dockerfile BOM cleanup
@Krishna-Chaitanya4 Krishna-Chaitanya4 force-pushed the fix/automapper-vulnerability-upgrade branch from c0473c9 to 8552d12 Compare March 26, 2026 11:00
@tomkerkhove
Copy link
Copy Markdown
Owner

tomkerkhove commented Mar 27, 2026

/azp run "Promitor CI - Scraper Agent"

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Mar 27, 2026

No pipelines are associated with this pull request.

@tomkerkhove tomkerkhove enabled auto-merge (squash) March 27, 2026 11:48
@tomkerkhove
Copy link
Copy Markdown
Owner

tomkerkhove commented Mar 27, 2026

/azp run

@azure-pipelines
Copy link
Copy Markdown

azure-pipelines Bot commented Mar 27, 2026

Azure Pipelines successfully started running 2 pipeline(s).

@tomkerkhove tomkerkhove merged commit 837a028 into tomkerkhove:master Mar 27, 2026
20 of 25 checks passed
@tomkerkhove
Copy link
Copy Markdown
Owner

tomkerkhove commented Mar 27, 2026

@Krishna-Chaitanya4 Please monitor main CI, was not intended to merge already

@Krishna-Chaitanya4 Krishna-Chaitanya4 mentioned this pull request Mar 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tomkerkhove tomkerkhove tomkerkhove approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Krishna-Chaitanya4 @tomkerkhove