search

dotnet / sdk

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI
https://dot.net/core
MIT License
2.66k stars 1.06k forks source link

Behavior of transitive framework dependencies #17372

Closed cmenzi closed 3 years ago

cmenzi commented 3 years ago

Description

We currently using SDK 5.0.202 and SDK 3.1.407 to restore, build and package our solution. There is now for example the transitive dependency System.Text.Encodings.Web which was vulnerable with CVE-2021-26701 and fixed and shipped in SDK 5.0.201 and SDK 3.1.407.

global.json:

{
  "sdk": {
    "version": "5.0.202",
    "rollForward": "latestFeature",
    "allowPrerelease": false
  }
}

Now, when we do a dotnet list <project> package --include-transitive --outdated --framework netcoreapp3.1 we get the following result:


The following sources were used:
   https://pkgs.dev.azure.com/buhlergroup/_packaging/buhlergroup-external/nuget/v3/index.json
   https://pkgs.dev.azure.com/buhlergroup/_packaging/buhlergroup-internal/nuget/v3/index.json
   https://packages.devops.buhlergroup.com/nuget/iot-dev-nuget/
   https://api.nuget.org/v3/index.json
   C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

Project `Buhler.PocketNuke` has the following updates to its packages
   [netcoreapp3.1]:
   Top-level Package           Requested        Resolved         Latest
   > Microsoft.Graph.Beta      0.43.0-preview   0.43.0-preview   4.1.0-preview

   Transitive Package                                                                   Resolved       Latest
   > Azure.Core                                                                         1.8.1          1.13.0
   > Colorful.Console                                                                   1.2.9          1.2.15
   > Glob                                                                               1.1.5          1.1.8
   > JetBrains.Annotations                                                              2019.1.3       2021.1.0
   > Microsoft.Bcl.AsyncInterfaces                                                      1.0.0          5.0.0
   > Microsoft.Bcl.HashCode                                                             1.1.0          1.1.1
   > Microsoft.Build                                                                    16.8.0         16.9.0
   > Microsoft.Build.Framework                                                          16.8.0         16.9.0
   > Microsoft.Build.Tasks.Core                                                         16.8.0         16.9.0
   > Microsoft.Build.Utilities.Core                                                     16.8.0         16.9.0
   > Microsoft.IdentityModel.Clients.ActiveDirectory                                    5.2.4          5.2.9
   > Microsoft.IdentityModel.Logging                                                    1.1.2          6.11.0
   > Microsoft.IdentityModel.Tokens                                                     5.1.2          6.11.0
   > Microsoft.NETCore.Platforms                                                        3.1.0          5.0.2
   > Microsoft.NETCore.Targets                                                          1.1.3          5.0.0
   > Microsoft.Rest.ClientRuntime                                                       2.3.20         3.0.3
   > Microsoft.Rest.ClientRuntime.Azure                                                 3.3.18         4.0.3
   > Microsoft.Win32.Registry                                                           4.7.0          5.0.0
   > Microsoft.Win32.SystemEvents                                                       4.7.0          5.0.0
   > NETStandard.Library                                                                1.6.1          2.0.3
   > Newtonsoft.Json                                                                    12.0.3         13.0.1
   > Newtonsoft.Json.Bson                                                               1.0.1          1.0.2
   > NuGet.Common                                                                       5.3.1          5.9.1
   > NuGet.Configuration                                                                5.3.1          5.9.1
   > NuGet.Frameworks                                                                   5.3.1          5.9.1
   > NuGet.Packaging                                                                    5.3.1          5.9.1
   > NuGet.Versioning                                                                   5.3.1          5.9.1
   > Octokit                                                                            0.36.0         0.50.0
   > Refit                                                                              5.0.23         6.0.38
   > runtime.debian.8-x64.runtime.native.System.Security.Cryptography.OpenSsl           4.3.2          4.3.3
   > runtime.fedora.23-x64.runtime.native.System.Security.Cryptography.OpenSsl          4.3.2          4.3.3
   > runtime.fedora.24-x64.runtime.native.System.Security.Cryptography.OpenSsl          4.3.2          4.3.3
   > runtime.native.System                                                              4.3.0          4.3.1
   > runtime.native.System.IO.Compression                                               4.3.0          4.3.2
   > runtime.native.System.Net.Http                                                     4.3.0          4.3.1
   > runtime.native.System.Security.Cryptography.Apple                                  4.3.0          4.3.1
   > runtime.native.System.Security.Cryptography.OpenSsl                                4.3.2          4.3.3
   > runtime.opensuse.13.2-x64.runtime.native.System.Security.Cryptography.OpenSsl      4.3.2          4.3.3
   > runtime.opensuse.42.1-x64.runtime.native.System.Security.Cryptography.OpenSsl      4.3.2          4.3.3
   > runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.Apple            4.3.0          4.3.1
   > runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.OpenSsl          4.3.2          4.3.3
   > runtime.rhel.7-x64.runtime.native.System.Security.Cryptography.OpenSsl             4.3.2          4.3.3
   > runtime.ubuntu.14.04-x64.runtime.native.System.Security.Cryptography.OpenSsl       4.3.2          4.3.3
   > runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl       4.3.2          4.3.3
   > runtime.ubuntu.16.10-x64.runtime.native.System.Security.Cryptography.OpenSsl       4.3.2          4.3.3
   > SharpZipLib                                                                        1.1.0          1.3.1
   > SonarAnalyzer.CSharp                                                               8.20.0.28934   8.22.0.31243
   > System.CodeDom                                                                     4.4.0          5.0.0
   > System.Collections.Immutable                                                       1.7.0          5.0.0
   > System.ComponentModel.Annotations                                                  4.4.1          5.0.0
   > System.Configuration.ConfigurationManager                                          4.5.0          5.0.0
   > System.Console                                                                     4.3.0          4.3.1
   > System.Diagnostics.DiagnosticSource                                                4.7.1          5.0.1
   > System.Drawing.Common                                                              4.7.0          5.0.2
   > System.Net.Primitives                                                              4.3.0          4.3.1
   > System.Reflection.Emit.ILGeneration                                                4.3.0          4.7.0
   > System.Reflection.Emit.Lightweight                                                 4.3.0          4.7.0
   > System.Reflection.Metadata                                                         1.6.0          5.0.0
   > System.Reflection.TypeExtensions                                                   4.3.0          4.7.0
   > System.Resources.Extensions                                                        4.6.0          5.0.0
   > System.Runtime                                                                     4.3.0          4.3.1
   > System.Runtime.CompilerServices.Unsafe                                             4.5.3          5.0.0
   > System.Runtime.Extensions                                                          4.3.0          4.3.1
   > System.Security.AccessControl                                                      4.7.0          5.0.0
   > System.Security.Cryptography.Algorithms                                            4.3.0          4.3.1
   > System.Security.Cryptography.Cng                                                   4.7.0          5.0.0
   > System.Security.Cryptography.OpenSsl                                               4.4.0          5.0.0
   > System.Security.Cryptography.Pkcs                                                  4.7.0          5.0.1
   > System.Security.Cryptography.ProtectedData                                         4.5.0          5.0.0
   > System.Security.Cryptography.X509Certificates                                      4.3.0          4.3.2
   > System.Security.Cryptography.Xml                                                   4.7.0          5.0.0
   > System.Security.Permissions                                                        4.7.0          5.0.0
   > System.Security.Principal.Windows                                                  4.7.0          5.0.0
   > System.Text.Encoding.CodePages                                                     4.0.1          5.0.0
   > System.Text.Encodings.Web                                                          5.0.0          5.0.1
   > System.Text.Json                                                                   5.0.1          5.0.2
   > System.Text.RegularExpressions                                                     4.3.0          4.3.1
   > System.Threading.Tasks.Dataflow                                                    4.9.0          5.0.0
   > System.Windows.Extensions                                                          4.7.0          5.0.0
   > System.Xml.ReaderWriter                                                            4.3.0          4.3.1
   > YamlDotNet                                                                         8.0.0          11.1.1
   > System.Text.Encodings.Web                                                          5.0.0          5.0.1

As you can see, the resolve version of System.Text.Encodings.Web is 5.0.0, which should be 5.0.1 as there is the fix in it.

Do we need explicitly specify them in csproj? Or how we can enforce that the latest version of transitive framework dependencies are used?

dotnet-issue-labeler[bot] commented 3 years ago

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

GrabYourPitchforks commented 3 years ago

This is a known issue with the list command. We're discussing offline some ways to make this better. The tl;dr: as long as you're keeping the SDK up-to-date, you don't need to worry about vulnerabilities in this component.

dotnet-issue-labeler[bot] commented 3 years ago

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

cmenzi commented 3 years ago

Ok, good to know. Our dependency track tool went insane, because all projects were affected.