search

NuGet / Home

Repo for NuGet Client issues
Other
1.49k stars 250 forks source link

NU1903 is logged twice #13610

Closed ViktorHofer closed 6 days ago

ViktorHofer commented 2 weeks ago 
C:\Users\vihofer\Downloads\testapp>..\dotnet-sdk-9.0.100-preview.7.24358.3-win-x64\dotnet.exe build
Restore succeeded with 2 warning(s) in 0.3s
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj
You are using a preview version of .NET. See: https://aka.ms/dotnet-support-policy
  testapp succeeded with 2 warning(s) (0.3s) → bin\Debug\netstandard1.6\testapp.dll
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj

I assume the warning is logged both during restore and during the build target.

dotnet-policy-service[bot] commented 2 weeks ago

Issue is missing Type label, remember to add a Type label

nkolev92 commented 2 weeks ago

For hotseat:

A binlog might help us narrow down where the 2nd warning is coming from.

ViktorHofer commented 2 weeks ago

This happens when doing a dotnet build which implicitly and incrementally performs a restore. It doesn't happen when only doing a dotnet restore as then, only the Restore target is called, but not the Build target.

Here's a sample:

app.csproj

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>netstandard1.6</TargetFramework>
  </PropertyGroup>

</Project>

Invoke dotnet build on it (with a nightly P7 SDK -> https://github.com/dotnet/sdk/blob/main/documentation/package-table.md) and you will see the warning logged twice.

nkolev92 commented 2 weeks ago

I'm guessing the 2nd warning is somehow replayed by the SDK then? Might be an SDK bug.

donnie-msft commented 2 weeks ago

For hotseat:

  • Does this happen every time?
  • Does this happen with dotnet restore or with dotnet build only?
  • What about nuget.exe/msbuild?

A binlog might help us narrow down where the 2nd warning is coming from.

  1. Yes, everytime with dotnet build
  2. No, dotnet restore only reports the error once
  3. No, nuget.exe restore does not show any vulnerability warnings. msbuild /t:restore only shows 1 warning.
donnie-msft commented 2 weeks ago

I also reproduced this with .NET SDK 8.0.400-preview.0.24324.5

nkolev92 commented 1 week ago

Team Triage: Since the replaying of the warnings is happening at build time as confirmed by both Donie and Viktor, we'll move this to the .NET SDK.