Library dependency on Microsoft.IdentityModel.Clients.ActiveDirectory dependency

[SarviH]

I am using FakeXRMEasy.v9 to unit test plugins in Dynamics 365. the plugins are on .NetFramework v4.6.2 so I need to use FakeXrmEasy.v9 2.4.2. This version has a dependency on Micrososft.CrmSdk.XrmTooling.CoreAssembly
and unfortunately CoreAssembly has dependency on Microsoft.IdentityModel.Clients.ActiveDirectory which is deprecated.
This cause vulnerability issues in my SonarQube scan. Have you ever seen this problem before? can you help me to solve this please ?

[jordimontana82]

Hi @SarviH

I see, that dependency is a transitive dependency that is is not directly referenced by FakeXrmEasy but Microsoft's XrmTooling package as you said.

I checked it again and the latest version is still using it https://www.nuget.org/packages/Microsoft.CrmSdk.XrmTooling.CoreAssembly/.

I would suggest raising it with Microsoft and maybe add a specific rule in SonarQube so it would exclude that package in the meantime.

I'll also revisit that dependency, I think XrmTooling is mostly used by the XrmRealContext class, which uses a CrmServiceClient client behind the scenes for integration testing pursposes.

If you're not using it I think this is relatively low risk and safe to ignore.

For client apps we have FakeXrmEasy v3.x versions that don't use that package but the latest DataverseClient too.

What do you think?

[SarviH]

Hello @jordimontana82 thanks for your follow up. as you said v3 works for DataverseClient which is for .NetCore, our plugin projects are on .NetFramework 4.6.2 so we can't use v3 :/

[jordimontana82]

@SarviH as a workaround for the next release, we can revisit this and split any dependency to XrmTooling to a separate package. This would allow you using the FakeXrmEasy.Plugins.v9 package without that dependency. But for the time being this is a vulnerability flagged in the MS package.

[SarviH]

Hello @jordimontana82, That's the best news ever! Could you please let me know when the next release is? This change will have a great impact on our decision on using FakeXRMEasy.
I appreciate your help :)

[SarviH]

Hello @jordimontana82 , I hope you’re doing great. Any news on this library dependency for us ? I think we are officially going to use FakeXRMEasy on new year. Please keep me posted on this subject.
Thanks a lot and have a nice week :)

[jordimontana82]

@SarviH sorry for the delay on this. Yes, it has been already done in the dev branch, will hopefully be promoted to live soon.

[JoehannusApg]

Hi Jordy. I also found a post about this on community.dynamics.com: https://community.dynamics.com/forums/thread/details/?threadid=3b580dca-c911-ee11-8f6d-000d3a5744ca. The advice there is to switch to the Dataverse ServiceClient package. Would this be a viable option for version 2.0 of fakexrmeasy? As the new package does support .net framework 4.6.2.

In that post is a link to: https://learn.microsoft.com/en-us/power-apps/developer/data-platform/sdk-client-transition

[jordimontana82]

@JoehannusApg FakeXrmEasy latest commercial license uses 2 major versions v2 and v3. v2 depends on CrmSdk.CoreAssemblies.* packages and v3 mostly depends on Dataverse ServiceClient package, so in short, yes, it'll be possible in the next 2.6.x and 3.6.x versions.