|
2 | 2 |
|
3 | 3 | ## Open |
4 | 4 |
|
5 | | -### ISSUE-031: Transitive `System.Security.Cryptography.Xml 8.0.2` high-severity CVE (NU1903) via TaskScheduler integration tests |
6 | | -- **Severity:** High (CVE, but surface is test-only) |
7 | | -- **Source:** Phase 2 (dependency-refresh milestone) — surfaced during Debug build after bumping low-risk packages |
8 | | -- **Repo:** DotNetWorkQueue (this repo) |
9 | | -- **Status:** **Resolved** — Phase 3 Wave 5 PLAN-5.1, 2026-04-17. Added `<PackageVersion Include="System.Security.Cryptography.Xml" Version="10.0.6" />` to `Source/Directory.Packages.props` and `<PackageReference>` to TaskScheduler.Integration.Tests.csproj. NU1903 grep on `dotnet build -c Debug` output returns 0 matches for this package. |
10 | | -- **Files:** |
11 | | - - `Source/DotNetWorkQueue.TaskScheduling.Distributed.TaskScheduler.Integration.Tests/*.csproj` (transitive path via `DotNetWorkQueue.TaskScheduling.Distributed.TaskScheduler 0.5.0`) |
12 | | -- **Description:** Debug build surfaces 4× NU1903 warnings: `Package 'System.Security.Cryptography.Xml' 8.0.2 has a known high severity vulnerability` (GHSA-37gx-xxp4-5rgx and GHSA-w3x6-4m5h-cxqf). The package is a transitive dep pulled in through the TaskScheduler 0.5.0 NuGet via test-only paths — it is not in `Source/Directory.Packages.props` directly. Consumer shipping surface is unaffected. |
13 | | -- **Remediation options:** |
14 | | - 1. Add a direct `<PackageVersion>` for `System.Security.Cryptography.Xml` at a patched version (≥8.0.3 / ≥9.0.0 / ≥10.0.0 depending on the consuming test project's target) to force the CPM override. |
15 | | - 2. Upstream fix in the TaskScheduler repo — drop or update the dep there and cut a new TaskScheduler release. |
16 | | - 3. Accept the risk (test-integration-only, no production surface) and suppress the warning. |
17 | | -- **Recommended:** Option 1 — add a CPM-level direct reference to force the patched transitive. Cheap, reversible, no upstream coordination needed. Evaluate during Phase 3 if scope permits; otherwise defer to a follow-up hygiene PR. |
18 | | -- **Not a Phase 2 blocker** — warnings, not errors; unit tests all green. |
19 | | - |
20 | | -### ISSUE-028: Add `<remarks>` XML doc on TaskSchedulerJobCountSync.Start() describing non-blocking semantics |
21 | | -- **Severity:** Minor |
22 | | -- **Source:** Phase 1 (TaskScheduler lock fix) — Documenter review |
23 | | -- **Repo:** DotNetWorkQueue.TaskScheduling.Distributed.TaskScheduler |
24 | | -- **Status:** CLOSED (landed in Phase 2 release commit `b904ac3` as part of the 0.4.0 release, 2026-04-14) |
25 | | -- **Description:** After Phase 1 made `Start()` non-blocking (poller runs on a dedicated background thread), the method's XML `<summary>` still just says "Starts this instance". Library consumers who subclass `TaskSchedulerJobCountSync` or wrap `ITaskSchedulerJobCountSync` can't see the behavior change from IDE tooltips. |
26 | | -- **Remediation:** Add a `<remarks>` block to the `Start()` XML doc on both `Source/ITaskSchedulerJobCountSync.cs` and `Source/TaskSchedulerJobCountSync.cs`, describing the synchronous-then-background-poller handoff. ~10 lines across both files. |
27 | | -- **Why deferred from Phase 1:** The ROADMAP.md Phase 1 success criterion #2 requires `ITaskSchedulerJobCountSync.cs` to be byte-identical to master. Strictly interpreted, XML doc comments are part of the file bytes. Adding them would break the literal invariant. Phase 2 (0.4.0 release) can land the doc change alongside the CHANGELOG entry — they both document the same observable behavior change. |
28 | | - |
29 | | -### ISSUE-027: Test helper DRY opportunity — XunitLogger / NextPort / BeaconInterface copied across 4 test files |
30 | | -- **Severity:** Medium |
31 | | -- **Source:** Phase 1 (TaskScheduler lock fix) — Simplifier review |
32 | | -- **Repo:** DotNetWorkQueue.TaskScheduling.Distributed.TaskScheduler |
33 | | -- **Status:** Open (deferred from Phase 1) |
34 | | -- **Description:** `Source/DotNetWorkQueue.TaskScheduling.Distributed.TaskScheduler.Tests/` now has 4 test files (existing `TaskSchedulerJobCountSyncTests` + 3 new from PLAN-2.1) each with a verbatim copy of `private class XunitLogger : ILogger`, a per-file `_nextPort + NextPort()` counter, and a `BeaconInterface` static. About 80 LoC of pure copy-paste. |
35 | | -- **Remediation:** Create `Source/DotNetWorkQueue.TaskScheduling.Distributed.TaskScheduler.Tests/NetMqTestSupport.cs` with an `internal sealed class XunitLogger`, an `internal static class TestPorts` with a decade-aware `Next()` that preserves disjoint seeds per caller, and an `internal static class BeaconInterfaces.Default`. Then delete the nested copies in each test file. Net delete ~60 LoC, effort ~20 minutes. |
36 | | -- **Why deferred:** Phase 1 is a concurrency refactor; a test-helper consolidation is out of scope. Worth doing if Phase 2/3 adds more test files to this project. |
37 | | - |
38 | | -### ISSUE-026: NetMqQueueApiProbeTests.cs is design-time scaffolding superseded by real handler tests |
39 | | -- **Severity:** Low |
40 | | -- **Source:** Phase 1 (TaskScheduler lock fix) — Simplifier review |
41 | | -- **Repo:** DotNetWorkQueue.TaskScheduling.Distributed.TaskScheduler |
42 | | -- **Status:** Open (deferred from Phase 1) |
43 | | -- **Description:** `Source/DotNetWorkQueue.TaskScheduling.Distributed.TaskScheduler.Tests/NetMqQueueApiProbeTests.cs` (35 LoC) was created in PLAN-1.1 Task 1 to validate that `NetMQQueue<T>` + `NetMQPoller` + `ReceiveReady` actually compile and run against NetMQ 4.0.2.2. The real handler tests from PLAN-2.1 now exercise the same API paths, making the probe redundant. |
44 | | -- **Remediation:** Delete `NetMqQueueApiProbeTests.cs` entirely. Preserves the probe's historical role via git history. |
45 | | -- **Why deferred:** Low-value cleanup; the file doesn't cost anything at runtime and it documents the original concern. |
46 | | - |
47 | | -### ISSUE-025: RunPoller start race on fast Start() → Dispose() cycles |
48 | | -- **Severity:** Low (noisy, not functional) |
49 | | -- **Source:** Phase 1 (TaskScheduler lock fix) — PLAN-1.3 code quality review |
50 | | -- **Repo:** DotNetWorkQueue.TaskScheduling.Distributed.TaskScheduler |
51 | | -- **Status:** Open (deferred from Phase 1) |
52 | | -- **Files:** |
53 | | - - `Source/TaskSchedulerJobCountSync.cs` — `RunPoller()` method |
54 | | -- **Description:** If `Dispose()` fires between `_pollerThread.Start()` and the `_poller = new NetMQPoller { _actor, _outbound }` assignment inside `RunPoller`, `_poller?.Stop()` no-ops because `_poller` is still null. The poller thread then constructs and runs an orphan poller until the underlying `_actor` is disposed, causing an `ObjectDisposedException` that is caught by the `RunPoller` try/catch but produces a noisy error log on pathological Start→Dispose cycles. Functionally safe — logged and swallowed — but cosmetically ugly. |
55 | | -- **Remediation:** Add a `volatile bool _disposing` flag set by `Dispose(bool)` before `_poller?.Stop()`. `RunPoller` early-returns if `_disposing` is true before constructing `_poller`. |
56 | | -- **Why deferred:** Not a functional bug, only affects error logs in a niche race. Good to fix in a later hardening pass. |
57 | | - |
58 | 5 | ### ISSUE-019: Missing SUMMARY-1.1.md artifact for Plan 1.1 (LiteDb history tests) |
59 | 6 | - **Severity:** Important |
60 | 7 | - **Source:** Plan 1.1 Review |
|
136 | 83 |
|
137 | 84 | ## Closed |
138 | 85 |
|
| 86 | +### ISSUE-031: Transitive `System.Security.Cryptography.Xml 8.0.2` high-severity CVE (NU1903) via TaskScheduler integration tests |
| 87 | +- **Severity:** High (CVE, but surface is test-only) |
| 88 | +- **Source:** Phase 2 (dependency-refresh milestone) — surfaced during Debug build after bumping low-risk packages |
| 89 | +- **Repo:** DotNetWorkQueue (this repo) |
| 90 | +- **Status:** Resolved — Phase 3 Wave 5 PLAN-5.1, commit `3d6b9949`, 2026-04-17. Added `<PackageVersion Include="System.Security.Cryptography.Xml" Version="10.0.6" />` to `Source/Directory.Packages.props` and `<PackageReference>` to `DotNetWorkQueue.TaskScheduling.Distributed.TaskScheduler.Integration.Tests.csproj`. NU1903 grep on `dotnet build -c Debug` returns 0 matches for this package. |
| 91 | +- **Files:** |
| 92 | + - `Source/Directory.Packages.props` |
| 93 | + - `Source/DotNetWorkQueue.TaskScheduling.Distributed.TaskScheduler.Integration.Tests/DotNetWorkQueue.TaskScheduling.Distributed.TaskScheduler.Integration.Tests.csproj` |
| 94 | +- **Description:** Debug build surfaced 4× NU1903 warnings: `Package 'System.Security.Cryptography.Xml' 8.0.2 has a known high severity vulnerability` (GHSA-37gx-xxp4-5rgx and GHSA-w3x6-4m5h-cxqf). The package was a transitive dep pulled in through the TaskScheduler 0.5.0 NuGet via test-only paths — not in `Directory.Packages.props` directly. Consumer shipping surface was unaffected. |
| 95 | +- **Resolution:** Option 1 chosen — added a direct CPM `<PackageVersion>` at 10.0.6 to force the patched transitive. Cheap, reversible, no upstream coordination needed. Fix landed alongside Phase 3 major bumps in PR #118. |
| 96 | + |
139 | 97 | ### ISSUE-023: Stray blank line and double blank line artifacts from NETFULL removal |
140 | 98 | - **Severity:** Suggestion |
141 | 99 | - **Source:** simplifier (Phase 3) |
|
0 commit comments