search

dotnet / sdk

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI
https://dot.net/core
MIT License
2.62k stars 1.04k forks source link

xunit - Vulnerabilities #22178

Open marcin-sowa opened 2 years ago

marcin-sowa commented 2 years ago

Hi,

I'm using dotnet in this versions:

Version: 5.0.401 Commit: 4bef5f3dbf

Środowisko uruchomieniowe: OS Name: Mac OS X OS Version: 11.5 OS Platform: Darwin RID: osx.11.0-x64 Base Path: /usr/local/share/dotnet/sdk/5.0.401/

Host (useful for support): Version: 5.0.10 Commit: e1825b4928

.NET SDKs installed: 3.1.401 [/usr/local/share/dotnet/sdk] 3.1.414 [/usr/local/share/dotnet/sdk] 5.0.401 [/usr/local/share/dotnet/sdk]

.NET runtimes installed: Microsoft.AspNetCore.App 3.1.7 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.20 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 5.0.10 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App] Microsoft.NETCore.App 3.1.7 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.20 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App] Microsoft.NETCore.App 5.0.10 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

To install additional .NET runtimes or SDKs: https://aka.ms/dotnet-download

Then run: dotnet new xunit gives this .csproj file:

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>net5.0</TargetFramework>

    <IsPackable>false</IsPackable>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.11.0" />
    <PackageReference Include="xunit" Version="2.4.1" />
    <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3">
      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      <PrivateAssets>all</PrivateAssets>
    </PackageReference>
    <PackageReference Include="coverlet.collector" Version="3.0.2">
      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
      <PrivateAssets>all</PrivateAssets>
    </PackageReference>
  </ItemGroup>

</Project>

In enterprise, when we are using packages scanning tools, we are unable to restore packages for test projects due to multiple vulnerabilities found for clean test project, we have following issues: System.Net.Sockets.4.3.0 -> https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1301 Microsoft.NETCore.Platforms.1.0.1 and 1.1.0 -> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112 System.Text.RegularExpressions.4.3.0 -> https://access.redhat.com/errata/RHSA-2019:1259 System.Security.Cryptography.X509Certificates.4.3.0 -> https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1721 System.Net.Http.4.3.0 -> https://access.redhat.com/errata/RHSA-2018:2902

The issue with security of Microsoft.NETCore.Platforms is related to multiple projects and verions. How we can update platform lib for each project, it seems there is no official documentation for that.

nohwnd commented 2 years ago

Are this issues specific to xunit templates? Are you able to reproduce the same issue with mstest / nunit template? Are you able to reproduce on .NET SDK 6.0? Which tool is used?

johnbailey-transactcampus commented 9 months ago

@nohwnd - I can confirm this reproduces in Jfrog.

image