This is a .NET 7 Web API application that intentionally demonstrates a realistic legacy enterprise codebase using deprecated technologies that require immediate migration for security, compliance, and support reasons.
| Component | Technology | Version | Status |
|---|---|---|---|
| Framework | .NET | 7.0 | β End of Life (May 2024) |
| Database Driver | System.Data.SqlClient | 4.8.5 | β Deprecated |
| Database | SQL Server LocalDB | Latest | β Supported |
| API Documentation | Swagger/OpenAPI | 6.5.0 | β Supported |
| Dependency Injection | Microsoft.Extensions.DI | Built-in | β Supported |
WARNING NU1903: Package 'System.Data.SqlClient' 4.8.5 has a known
HIGH SEVERITY vulnerability: https://github.com/advisories/GHSA-98g6-xh36-x2p7
- Impact: Production deployment blocked by security scanners
- Risk: Potential SQL injection and connection string exposure
- Compliance: Fails SOC2, PCI-DSS, and enterprise security audits
WARNING NETSDK1138: The target framework 'net7.0' is out of support
and will not receive security updates
- Impact: No security patches, bug fixes, or support from Microsoft
- Risk: Zero-day vulnerabilities will remain unpatched
- Enterprise: Violates enterprise support lifecycle policies
- System.Data.SqlClient deprecated since .NET Core 2.0 (2018)
- Microsoft recommendation: Migrate to Microsoft.Data.SqlClient
- Features missing: Modern async patterns, performance improvements
- Support: No new features, limited bug fixes only
"DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=LegacyECommerceDb;Trusted_Connection=true;Encrypt=false"- Issue:
Encrypt=falsetransmits data in plaintext - Compliance: Violates data protection regulations (GDPR, HIPAA)
- Modern requirement: Encryption by default in newer drivers
-
Mixed Async/Sync Operations
// β Inconsistent patterns public async Task<Customer?> GetByIdAsync(int id) // Async method public Customer Add(Customer customer) // Sync method
-
Manual Resource Management
// β Manual disposal patterns using (var connection = new SqlConnection(_connectionString)) using (var command = new SqlCommand(query, connection))
-
Legacy Namespace Imports
using System.Data; using System.Data.SqlClient; // β Deprecated namespace
-
Traditional ADO.NET Patterns
- Manual parameter binding with
AddWithValue() - String-based SQL queries without modern query builders
- No modern features like bulk operations or async enumeration
- Manual parameter binding with
- Security: Production deployment blocked by vulnerability scanners
- Compliance: Audit failures for security frameworks
- Support: No Microsoft support for framework or driver issues
- Performance: Missing modern optimizations and features
- Maintenance: Difficulty finding developers familiar with legacy patterns
- Scalability: Performance bottlenecks with outdated data access patterns
- Integration: Compatibility issues with modern cloud services
- Cost: Higher maintenance costs due to technical debt
- SOC 2: Security controls around encryption in transit
- PCI DSS: Data encryption requirements for payment systems
- GDPR/HIPAA: Data protection in transit requirements
- ISO 27001: Information security management standards
- Framework Migration: .NET 7 β .NET 8+ (LTS)
- Driver Migration: System.Data.SqlClient β Microsoft.Data.SqlClient
- Security: Enable connection encryption by default
- Patterns: Standardize on async/await throughout
- Performance: Implement modern data access patterns
- Remove all security vulnerabilities
- Enable encryption in transit
- Implement modern authentication patterns
- Add comprehensive audit logging
- Establish proper error handling and monitoring
The application manages a simple e-commerce system with:
- Customers - Customer information and contact details
- Products - Product catalog with inventory
- Orders - Customer orders with line items
- Ensure SQL Server LocalDB is installed
- Run the SQL script in
DatabaseSetup.sqlto create the database and sample data - The connection string in
appsettings.jsonpoints to LocalDB withEncrypt=false
dotnet build
dotnet runNavigate to https://localhost:7xxx/swagger to access the Swagger UI.
GET /api/customers- Get all customersGET /api/customers/{id}- Get customer by IDPOST /api/customers- Create new customerPUT /api/customers/{id}- Update customerDELETE /api/customers/{id}- Delete customerGET /api/customers/by-email/{email}- Get customer by email
GET /api/products- Get all productsGET /api/products/{id}- Get product by IDPOST /api/products- Create new productPUT /api/products/{id}- Update productDELETE /api/products/{id}- Delete productGET /api/products/category/{category}- Get products by categoryGET /api/products/active- Get active products with stock
GET /api/orders- Get all ordersGET /api/orders/{id}- Get order by ID with line itemsPOST /api/orders- Create new order with itemsPUT /api/orders/{id}- Update orderDELETE /api/orders/{id}- Delete order and itemsGET /api/orders/customer/{customerId}- Get orders by customerGET /api/orders/status/{status}- Get orders by status
- Security Vulnerability: System.Data.SqlClient has known high severity vulnerabilities
- Deprecated Package: System.Data.SqlClient is no longer maintained
- Connection String: Uses
Encrypt=falsewhich is insecure - Mixed Patterns: Inconsistent async/sync patterns in repository methods
- Manual Resource Management: Manual connection/command disposal
This codebase is designed to practice migrating:
- System.Data.SqlClient β Microsoft.Data.SqlClient
- Legacy connection strings β Modern secure connection strings
- Mixed sync/async patterns β Consistent async patterns
- Manual resource management β Modern
usingstatements and patterns - Update to current .NET version
You'll see these warnings when building - they indicate the migration need:
- NETSDK1138: .NET 7.0 is out of support
- NU1903: System.Data.SqlClient has known vulnerabilities
This is exactly what enterprises face with legacy codebases!