search

dotnet / efcore

EF Core is a modern object-database mapper for .NET. It supports LINQ queries, change tracking, updates, and schema migrations.
https://docs.microsoft.com/ef/
MIT License
13.8k stars 3.2k forks source link

EntityFrameworkCore SqlServer Ver. 9.0.0 NuGet package with Vulnerable System.Private.Uri Ver. 4.3.0 transitive package. #35167

Closed apvassiliou77 closed 19 hours ago

apvassiliou77 commented 1 day ago

This NuGet package Microsoft.EntityFrameworkCore.SqlServer (version 9.0.0) contains a reference to System.Private.Uri (version 4.3.0) which has the following known Vulnerabilities:

Known Vulnerability No1 Known Vulnerability No2 Known Vulnerability No3

An update to Version 4.3.2 is suggested.

Thank you in advance.

cincuranet commented 23 hours ago

I don't see that dependency in the chain:

$ dotnet nuget why . Microsoft.EntityFrameworkCore.SqlServer
Project 'ConsoleApp1' has the following dependency graph(s) for 'Microsoft.EntityFrameworkCore.SqlServer':

  [net9.0]
   │
   └─ Microsoft.EntityFrameworkCore.SqlServer (v9.0.0)
$ dotnet nuget why . System.Private.Uri
Project 'ConsoleApp1' does not have a dependency on 'System.Private.Uri'.

Can you tell me where do you see this dependency?

apvassiliou77 commented 23 hours ago

I Have a .NET8 Console Application with the Microsoft.EntityFrameworkCore.SqlServer package installed and in NuGet package Manager I get this vulnerabilty.

Image

So I presumed that this is caused by the Microsoft.EntityFrameworkCore.SqlServer package.

apvassiliou77 commented 22 hours ago

Trying to uninstall the Microsoft.EntityFrameworkCore.SqlServer package and reinstalling it again I get following changes.

Image

As you can see the last package to be installed is System.Private.Uri. I get the same changes even if I clear the NuGet packages V3 Cache. My Visual Studio Version is 17.12.0.

ErikEJ commented 21 hours ago

@apvassiliou77 Please share your .csproj file contents

apvassiliou77 commented 21 hours ago 
<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net8.0</TargetFramework>
    <ImplicitUsings>enable</ImplicitUsings>
    <Nullable>enable</Nullable>
    <PublishSingleFile Condition="'$(Configuration)' == 'Release'">true</PublishSingleFile>
    <RuntimeIdentifier>win-x64</RuntimeIdentifier>
    <PlatformTarget>x64</PlatformTarget>
  </PropertyGroup>

  <ItemGroup>
    <None Remove="appsettings.json" />
    <None Remove="log4net.config" />
  </ItemGroup>

  <ItemGroup>
    <Content Include="appsettings.json">
      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
    </Content>
    <Content Include="log4net.config">
      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
    </Content>
  </ItemGroup>

  <ItemGroup>
    <PackageReference Include="Azure.Identity" Version="1.13.1" />
    <PackageReference Include="log4net" Version="3.0.3" />
    <PackageReference Include="Microsoft.EntityFrameworkCore" Version="9.0.0" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="9.0.0" />
    <PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="9.0.0" />
    <PackageReference Include="Microsoft.Extensions.Hosting" Version="9.0.0" />
    <PackageReference Include="Microsoft.Extensions.Hosting.WindowsServices" Version="9.0.0" />
    <PackageReference Include="Microsoft.Extensions.Logging.Log4Net.AspNetCore" Version="8.0.0" />
    <PackageReference Include="System.Data.SqlClient" Version="4.9.0" />
    <PackageReference Include="System.Formats.Asn1" Version="9.0.0" />
  </ItemGroup>

</Project>

Here is my .csproj file contents.

ErikEJ commented 21 hours ago

You should remove this:

<PackageReference Include="System.Data.SqlClient" Version="4.9.0" />

and maybe replace with:

<PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />

cincuranet commented 20 hours ago

In this case it comes from the runtime/SDK., not from us. Good approach to handle it is described here.

cc @AndriySvyryd

apvassiliou77 commented 19 hours ago

You should remove this:

<PackageReference Include="System.Data.SqlClient" Version="4.9.0" />

and maybe replace with:

<PackageReference Include="Microsoft.Data.SqlClient" Version="5.2.2" />

I replaced the package you suggested and the warnings still exist.

apvassiliou77 commented 19 hours ago

In this case it comes from the runtime/SDK., not from us. Good approach to handle it is described here.

cc @AndriySvyryd

I managed to remove the warnings after I removed the following line from my .csproj file.

<RuntimeIdentifier>win-x64</RuntimeIdentifier>

Thanks for your help.