Microsoft Security Advisory CVE 2022-30184 involves a vulnerability related to NuGet functionality, including the NuGet.CommandLine NuGet package. The vulnerability relates to credentials being leaked when publishing NuGet packages i.e. it's logically related to nuget push. See this issue for more information.
The SonarQube.Roslyn.SDK is not directly affected by the vulnerability since it only pulls packages. It never pushes.
However, third-party tooling may still flag this as a vulnerability, which generates unnecessary noise and support effort.
Upgrading the package to a patched version should be straightforward i.e. no anticipated breaking changes or changes of functionality.
Description
Microsoft Security Advisory CVE 2022-30184 involves a vulnerability related to NuGet functionality, including the
NuGet.CommandLineNuGet package. The vulnerability relates to credentials being leaked when publishing NuGet packages i.e. it's logically related tonuget push. See this issue for more information.The SonarQube.Roslyn.SDK is not directly affected by the vulnerability since it only pulls packages. It never pushes. However, third-party tooling may still flag this as a vulnerability, which generates unnecessary noise and support effort.
Upgrading the package to a patched version should be straightforward i.e. no anticipated breaking changes or changes of functionality.