How to update .NET 8 Azure functions isolated process ".azurefunctions" outdated/vulnerable libraries

[Duranom]

When creating a .NET 8 Azure functions isolated function project and adding the Microsoft.Azure.Functions.Worker.Extensions.DurableTask (1.1.1), I get a SCA warning that the .azurefunctions folder that gets created contains some vulnerable libraries.

When I check the output of the builds I notice the .azurefunctions folder now has Azure.Identity version 1.5.0
My project itself I can force reference Azure.Identity version 1.10.4 and the bin/publish folder will use the expected version 1.10.4, but the .azurefunctions folder still has the Azure.Identity version 1.5.0

How can these be kept updated? What is the guidance in there as I would like to avoid SCA high/criticals in there as well as the .azurefunctions folder is uploaded and used.

[kshyju]

Are you using the latest versions of the nuget packages? Can you share what versions are you using in your .csproj?

[Duranom]

Yes, all of the latest for all of them.

Here is a sample with a fresh created azure function project through visual studio template:

• Csproj has been updated to the following:

<Project Sdk="Microsoft.NET.Sdk">
	<PropertyGroup>
		<TargetFramework>net8.0</TargetFramework>
		<AzureFunctionsVersion>v4</AzureFunctionsVersion>
		<OutputType>Exe</OutputType>
		<PublishReadyToRun>true</PublishReadyToRun>
	</PropertyGroup>
	
	<ItemGroup>
		<PackageReference Include="Azure.Identity" Version="1.10.4" />
		<PackageReference Include="FluentValidation.AspNetCore" Version="11.3.0" />
		<PackageReference Include="Microsoft.ApplicationInsights.WorkerService" Version="2.22.0" />
		<PackageReference Include="Microsoft.Azure.Functions.Worker" Version="1.21.0" />
		<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http.AspNetCore" Version="1.2.1" />
		<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.DurableTask" Version="1.1.1" />
		<PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Http" Version="3.1.0" />
		<PackageReference Include="Microsoft.Azure.Functions.Worker.Sdk" Version="1.17.0" />
		<PackageReference Include="Microsoft.Azure.Functions.Worker.ApplicationInsights" Version="1.2.0" />
	</ItemGroup>
	<ItemGroup>
		<Using Include="System.Threading.ExecutionContext" Alias="ExecutionContext" />
	</ItemGroup>
	<ItemGroup>
		<None Update="host.json">
			<CopyToOutputDirectory>Always</CopyToOutputDirectory>
		</None>
		<None Update="local.settings.json">
			<CopyToOutputDirectory>Always</CopyToOutputDirectory>
			<CopyToPublishDirectory>Never</CopyToPublishDirectory>
		</None>
	</ItemGroup>
</Project>

Then go to the bin folder and check the version within the directory net8.0 and that of the sub-directory azure.identity:

• net8.0 has version 1.10.4
• net8.0\.azurefunctions has version 1.5.0

[facundoam]

I have the same issue/concern. Also updated all the packages to the latest version and Azure.Identity.dll is still 1.5.0 showing as High/Critical in the Wiz reports.

Is there a way to update the .azurefunctions packages? Is it something we should be afraid of?

Thanks!

[fabiocav]

This is being tracked by the Durable Functions team here: Azure/azure-functions-durable-extension#2765

Closing the discussion as there's no additional action on this repo, but let us know if you have any questions.

[Duranom]

Ok I guess it will be handled when it uses a the latest functions sdk and the vulnerability check bullet points. Will keep an eye out there.

Just to be clear. If in the future any functions extension package refers to a vulnerable library, the only way to have that library in the generated .azurefunctions folder patched officially is to wait for an update of the extension that causes it. Is that correct?

Or is it possible to replace such a library in the .azurefunctions folder with a patched version without any potential issue's if it has no breaking changes in it for forward compatibility, like Azure.Identity normally is. (Didn't test this myself yet)