BinaryFormatter is blocked by default on .NET 8, breaking SettingsEntity.NewInstance

[borland]

Usage Information

Nuke 7.0.6 / Dotnet 8.0 RC2 / Windows

Description

The current implementation of SettingsEntity.NewInstance uses a roundtrip through BinaryFormatter as a way to clone objects.

When running Nuke on .NET 8 RC2, I observe this warning in the log when using an [OctoVersionAttribute]

[WRN] Could not inject value for Build.OctoVersionInfo
System.NotSupportedException: BinaryFormatter serialization and deserialization are disabled within this application. See https://aka.ms/binaryformatter for more information.
   at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Serialize(Stream serializationStream, Object graph)
   at Nuke.Common.Tooling.SettingsEntityExtensions.NewInstance[T](T settingsEntity) in /_/source/Nuke.Tooling/SettingsEntity.NewInstance.cs:line 23
   at Nuke.Common.Tools.OctoVersion.OctoVersionGetVersionSettingsExtensions.SetFramework[T](T toolSettings, String framework) in /_/source/Nuke.Common/Tools/OctoVersion/OctoVersion.Generated.cs:line 849
   at Nuke.Common.Tools.OctoVersion.OctoVersionAttribute.<>c__DisplayClass56_0.<GetValue>b__0(OctoVersionGetVersionSettings _) in /_/source/Nuke.Common/Tools/OctoVersion/OctoVersionAttribute.cs:line 141
   at Nuke.Common.Tools.OctoVersion.OctoVersionTasks.OctoVersionGetVersion(Configure`1 configurator) in /_/source/Nuke.Common/Tools/OctoVersion/OctoVersion.Generated.cs:line 98
   at Nuke.Common.Tools.OctoVersion.OctoVersionAttribute.GetValue(MemberInfo member, Object instance) in /_/source/Nuke.Common/Tools/OctoVersion/OctoVersionAttribute.cs:line 141
   at Nuke.Common.ValueInjection.ValueInjectionAttributeBase.TryGetValue(MemberInfo member, Object instance) in /_/source/Nuke.Build/Execution/Extensibility/ValueInjectionAttributeBase.cs:line 26
Target 'BuildOctopusServer' requires member 'OctoVersionInfo' to be not null

The warning is followed by a build failure (Target 'BuildOctopusServer' requires member 'OctoVersionInfo' to be not null)

This is because Microsoft block the use of BinaryFormatter in .NET 8. I believe this may also be the case in .NET 7 but I have not tested it.

Per the comment at https://aka.ms/binaryformatter:

Warning
The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure.

While I believe Nuke's limited use of BinaryFormatter as an object cloner doesn't have any such security issues, I think it is worth removing on simple grounds that it no longer works with a standard .NET 8 toolchain.

Reproduction Steps

Create a Nuke build and tag something with the [OctoVersion] attribute

Expected Behavior

On .NET 6 The OctoVersion tool is run which populates the field with the attribute attached.

Actual Behavior

On .NET 8 this exception is thrown:

System.NotSupportedException: BinaryFormatter serialization and deserialization are disabled within this application

This is logged, but the OctoVersion tool is not run; the field remains unset.

Regression?

No response

Known Workarounds

adding this to your nuke project's csproj file, should enable it to successfully compile and run.

<PropertyGroup>
   .. other existing properties ...
  <EnableUnsafeBinaryFormatterSerialization>true</EnableUnsafeBinaryFormatterSerialization>
</PropertyGroup>

Could you help with a pull-request?

Yes

[ImoutoChan]

Same problem. This is the only thing that is broken after updating my solution to net 8.

[jonathanou]

FYI, the plan in .NET 9 is to remove BinaryFormatter support completely, so it will be critical to address this before .NET 9 releases next year.

[matkoch]

dup of #818