Closed akunzai closed 1 year ago
fhtino
commented
1 year ago Could be a syntax error? 4.22 does not exist. 4.2.2 exists.
https://github.com/advisories/GHSA-3rq8-h3gj-r5c6
Also Github dependabot started alerting about this security issue, but without beeing able to suggest a solution. No PR suggested.
Tratcher
commented
1 year ago @blowdart those versions are wrong, it should say 4.2.1 and 4.2.2 respectively.
Tratcher
commented
1 year ago Tratcher
commented
1 year ago 
snakefoot
commented
1 year ago Can see that nuget-package is now fixed, but this command line still fails:
dotnet list ./src package --vulnerable --include-transitiveThis is the output:
The following sources were used:
https://api.nuget.org/v3/index.json
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\
Project `NLog.UnitTests` has the following vulnerable packages
[netcoreapp3.1]: No vulnerable packages for this framework.
[net461]:
Top-level Package Requested Resolved Severity Advisory URL
> Microsoft.Owin 4.2.2 4.2.2 High https://github.com/advisories/GHSA-3rq8-h3gj-r5c6These are the NLog.UnitTests package-references in use:
<PackageReference Include="Microsoft.AspNet.WebApi.OwinSelfHost" Version="5.2.9" />
<PackageReference Include="Microsoft.Owin" version="4.2.2" /> <!-- Waiting for updated OwinSelfHost -->https://ci.appveyor.com/project/nlog/nlog/builds/44651625/job/ivj8bssv4b7permh
Tratcher
commented
1 year ago It's also still being flagged in VS. I've pinged the nuget team.
snakefoot
commented
1 year ago No longer getting warnings about Microsoft.Owin when doing validation:
dotnet list ./src package --vulnerable --include-transitive
philipp-naused
commented
1 year ago The faulty warning has disappeared for us as well. Does anyone know what the root cause was?
Tratcher
commented
1 year ago This was originally caused by a typo in the versions reported in https://github.com/advisories/GHSA-3rq8-h3gj-r5c6. That typo was imported into nuget.org. When the notice was corrected there was an issue getting the state updated eveywhere in nuget. The nuget team confirmed to me Friday that they resolved the update issue.
akunzai
commented
1 year ago Hi @Tratcher, The Microsoft.Owin.Security.Cookies still be flagged as vulnerable in command dotnet list package --vulnerable --include-transitive or Visual Studio.
tompazourek
commented
1 year ago This is still an issue.
The API request that's made internally is: https://api.nuget.org/v3/registration5-gz-semver2/microsoft.owin.security.cookies/index.json
And that still incorrectly contains the vulnerability listed for 4.2.2:
Tratcher
commented
1 year ago This is still an issue.
The API request that's made internally is: https://api.nuget.org/v3/registration5-gz-semver2/microsoft.owin.security.cookies/index.json
@tompazourek Which tool are you using to call this API?
Looks like Microsoft.Owin was fixed but Microsoft.Owin.Security.Cookies was not.
Tratcher
commented
1 year ago Fixed (for reals this time 😆) in VS and https://api.nuget.org/v3/registration5-gz-semver2/microsoft.owin.security.cookies/index.json
tompazourek
commented
1 year ago I can confirm, the issue disappeared. Thank you!
Hi there,
My CI/CD pipelines failed with the following information
according to https://github.com/advisories/GHSA-3rq8-h3gj-r5c6
following packages in version 4.2.2 should not be affected with CVE-2022-29117
Is the vulnerability warning on NuGet.org marked by accident?