Open marcin-sowa opened 2 years ago
Are this issues specific to xunit templates? Are you able to reproduce the same issue with mstest / nunit template? Are you able to reproduce on .NET SDK 6.0? Which tool is used?
@nohwnd - I can confirm this reproduces in Jfrog.
Hi,
I'm using dotnet in this versions:
Then run:
dotnet new xunit
gives this .csproj file:In enterprise, when we are using packages scanning tools, we are unable to restore packages for test projects due to multiple vulnerabilities found for clean test project, we have following issues: System.Net.Sockets.4.3.0 -> https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1301 Microsoft.NETCore.Platforms.1.0.1 and 1.1.0 -> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112 System.Text.RegularExpressions.4.3.0 -> https://access.redhat.com/errata/RHSA-2019:1259 System.Security.Cryptography.X509Certificates.4.3.0 -> https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1721 System.Net.Http.4.3.0 -> https://access.redhat.com/errata/RHSA-2018:2902
The issue with security of Microsoft.NETCore.Platforms is related to multiple projects and verions. How we can update platform lib for each project, it seems there is no official documentation for that.