search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
14.84k stars 4.62k forks source link

[browser][WBT] SignalRPassMessageWasmBrowser - NU1903 - System.Text.Json 8.0.0 #104737

Closed pavelsavara closed 1 month ago

pavelsavara commented 1 month ago

Log

Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser(config: "Debug", transport: "LongPolling") [FAIL]

       []   Restored C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\AspNetCoreServer\AspNetCoreServer.csproj (in 9.91 sec).
        [] C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\WasmBrowserClient\WasmBrowserClient.csproj : error NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w [C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\AspNetCoreServer\AspNetCoreServer.csproj]
        []   Restored C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\BlazorClient\BlazorClient.csproj (in 10.45 sec).
        []   Restored C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\WasmBrowserClient\WasmBrowserClient.csproj (in 493 ms).
        [] C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\Shared\Shared.csproj : error NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w [C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\AspNetCoreServer\AspNetCoreServer.csproj]
        []   Restored C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\Shared\Shared.csproj (in 5 ms).

Build Information

Build: https://dev.azure.com/dnceng-public/public/_build/results?buildId=737345 Build error leg or test failing:

Error Message

Fill the error message using step by step known issues guidance.

{
  "ErrorMessage": "NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability",
  "BuildRetry": false,
  "ExcludeConsoleLog": false
}

Known issue validation

Build: :mag_right: https://dev.azure.com/dnceng-public/public/_build/results?buildId=737345 Error message validated: [NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability] Result validation: :white_check_mark: Known issue matched with the provided build. Validation performed at: 7/11/2024 4:23:34 PM UTC

Report

Build Definition Test Pull Request
737660 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104577
736134 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104638
738762 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#103755
738708 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104683
738681 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104437
738661 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution
738535 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104750
738431 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104757
738133 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#103757
738356 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104764
738311 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104760
738295 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104758
738288 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104750
738193 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser
738246 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104753
738220 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104644
737629 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser dotnet/runtime#103755
737568 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser dotnet/runtime#100048
736603 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser dotnet/runtime#104698
737703 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104683
737654 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104701
737354 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser dotnet/runtime#104672
737155 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#102464
737345 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser dotnet/runtime#104729
737493 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104733
737342 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser dotnet/runtime#100056
737280 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser dotnet/runtime#104730
736235 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution dotnet/runtime#104685

Summary

24-Hour Hit Count 7-Day Hit Count 1-Month Count
0 27 28
dotnet-policy-service[bot] commented 1 month ago

Tagging subscribers to 'arch-wasm': @lewing See info in area-owners.md if you want to be subscribed.

ViktorHofer commented 1 month ago

Note that this means that you are using the nuget.org feed somewhere which is unrelated but should be fixed as well. NU1903 is part of the NuGet Audit feature which only works with the nuget.org feed atm.

ViktorHofer commented 1 month ago

cc @lewing

ViktorHofer commented 1 month ago

Unfortunately, I don't know how these tests work. Can someone please file an issue for the nuget.org issue?

ilonatommy commented 1 month ago

In wbt we're populating nuget config here: https://github.com/dotnet/runtime/blob/f9eda079502aa737ed7c75cf14dea10223cfb0fa/src/mono/wasm/Wasm.Build.Tests/Blazor/BlazorWasmTestBase.cs#L35

that produces:

  <packageSources>
    <clear />
    <add key="nuget-local" value="C:\Users\user\source\repos\runtime-fork\artifacts\packages\Debug\Shipping\" />
    <add key="dotnet8" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet8/nuget/v3/index.json" />
    <add key="dotnet9" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet9/nuget/v3/index.json" />
    <add key="nuget.org"  value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  </packageSources>

Do you mean we should remove <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />?

ViktorHofer commented 1 month ago

Yes. AFAIK using the nuget.org feed in our builds is disallowed for security reasons. cc @mmitche

ajtruckle commented 1 month ago

image

I can confirm that this package is using version 8.0.0:

image

When will this be fixed?

ViktorHofer commented 1 month ago

Copied from a mail conversation:

.NET's policy is that we do not publish new intermediate packages for the sole purpose of updating a leaf dependency. This is instead an application-level concern. We rely on NuGet functionality to make updating leaf dependencies simple and painless.

We don't yet have that documented but we will follow-up on it.

ajtruckle commented 1 month ago

@ViktorHofer I am not knowledgeable with this ..but let me get this in my head?

VS is telling me that this particular NuGet package is using a vulnerable assembly. So why do I have to fix this? Why do I have to manually download another top level dependency for what is currently translative? I don't understand the logic. Surely, something, somewhere is responsible for using a vulnerable version and it should be rectified. No? Otherwise the headache is put on our shoulders and technically, the issue is not with out code but the NuGet packages concerned.