build error with nuget audit

dotnet / sdk

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI

https://dot.net/core

MIT License

2.75k stars 1.07k forks source link

build error with nuget audit #42073

Closed WeihanLi closed 4 months ago

WeihanLi commented 4 months ago

Not sure if it's a bug or by design

Got an error when updating to .NET 9 Preview 6, I use <TreatWarningsAsErrors>true</TreatWarningsAsErrors> for my project

error NU1903: Warning As Error: Package 'System.Formats.Asn1' 6.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm

While I do not have a direct dependency on this package reference

my project is here: https://github.com/WeihanLi/dotnet-exec/blob/61089e6cba8faa823c57654e321dedc6870a6ba1/src/ReferenceResolver/ReferenceResolver.csproj

Is this new behavior for transitive dependency? Is there a feature switch to disable? Should I add the package dependency to override the version with vulnerability to fix this? While I do not want to have this dependency maintained in my project, it may cause conflict when upgrading dependencies and may be confusing for the downstream users.

airzym commented 4 months ago

I'm also running into a similar issue.

The issue for the CVE states that the fix should be to update the SDK and runtime. However despite updating the SDK this hasn't resolved the issue for myself.

Im building my solution using SDK 8.0.7, and my vulnerability scanning is still flagging the following:

pkg:nuget/System.Formats.Asn1@8.0.0.0 (CVE-2024-38095)

I can see in the deps.json file the following:

"System.Formats.Asn1": "8.0.0.0"

dotnet-policy-service[bot] commented 4 months ago

Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!

If you believe this issue was closed out of error, please comment to let us know.

Happy Coding!

WeihanLi commented 4 months ago

Could we transfer the issue to nuget instead of just closing

baronfel commented 4 months ago

not easily, no - the NuGet repos are on a different GitHub organization, and GitHub only allows transfers across organizations.

filzrev commented 4 months ago

Is there a feature switch to disable?

On TreatWarningsAsErrors enabled environment. It can be suppressed by adding following setting.

<WarningsNotAsErrors>$(WarningsNotAsErrors);NU1903</WarningsNotAsErrors>

I've confirmed dependencies with following command.

dotnet nuget why ReferenceResolver.csproj System.Formats.Asn1

And gets following results.

  [net6.0]
  [net8.0]
   │
   └─ NuGet.Protocol (v6.10.1)
      └─ NuGet.Packaging (v6.10.1)
         └─ System.Security.Cryptography.Pkcs (v6.0.4)
            └─ System.Formats.Asn1 (v6.0.0)

It seems transitive package reference is coming from System.Security.Cryptography.Pkcs (v6.0.4) package. Until this package is updated. It needs explicitly override System.Formats.Asn1 version. or need to suppress NU1903 warning.

filzrev commented 4 months ago

Is this new behavior for transitive dependency? Is there a feature switch to disable?

I've found document about behavior changes on .NET 9 Preview 6 release note. https://github.com/dotnet/core/blob/main/release-notes/9.0/preview/preview6/sdk.md#nugetaudit-now-raises-warnings-for-vulnerabilities-in-transitive-dependencies