NU1903 is logged twice

[nkolev92]

@ViktorHofer commented on Mon, 08 Jul 2024 15:50:50 GMT

C:\Users\vihofer\Downloads\testapp>..\dotnet-sdk-9.0.100-preview.7.24358.3-win-x64\dotnet.exe build
Restore succeeded with 2 warning(s) in 0.3s
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj
You are using a preview version of .NET. See: https://aka.ms/dotnet-support-policy
  testapp succeeded with 2 warning(s) (0.3s) → bin\Debug\netstandard1.6\testapp.dll
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Net.Http' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-7jgj-8wvc-jh57
    C:\Users\vihofer\Downloads\testapp\testapp.csproj : warning NU1903: Package 'System.Text.RegularExpressions' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-cmhx-cq75-c4mj

I assume the warning is logged both during restore and during the build target.

[nkolev92]

@dotnet-policy-service[bot] commented on Mon, 08 Jul 2024 15:52:00 GMT Issue is missing Type label, remember to add a Type label

[nkolev92]

@nkolev92 commented on Mon, 08 Jul 2024 20:45:01 GMT For hotseat:

• Does this happen every time?
• Does this happen with dotnet restore or with dotnet build only?
• What about nuget.exe/msbuild?

A binlog might help us narrow down where the 2nd warning is coming from.

[nkolev92]

@ViktorHofer commented on Mon, 08 Jul 2024 20:52:57 GMT This happens when doing a dotnet build which implicitly and incrementally performs a restore. It doesn't happen when only doing a dotnet restore as then, only the Restore target is called, but not the Build target.

Here's a sample:

app.csproj

<Project Sdk="Microsoft.NET.Sdk">

  <PropertyGroup>
    <TargetFramework>netstandard1.6</TargetFramework>
  </PropertyGroup>

</Project>

Invoke dotnet build on it (with a nightly P7 SDK -> https://github.com/dotnet/sdk/blob/main/documentation/package-table.md) and you will see the warning logged twice.

[nkolev92]

@nkolev92 commented on Mon, 08 Jul 2024 21:08:21 GMT I'm guessing the 2nd warning is somehow replayed by the SDK then? Might be an SDK bug.

[nkolev92]

@donnie-msft commented on Mon, 08 Jul 2024 22:10:23 GMT

For hotseat:

• Does this happen every time?
• Does this happen with dotnet restore or with dotnet build only?
• What about nuget.exe/msbuild?

A binlog might help us narrow down where the 2nd warning is coming from.

1. Yes, everytime with dotnet build
2. No, dotnet restore only reports the error once
3. No, nuget.exe restore does not show any vulnerability warnings. msbuild /t:restore only shows 1 warning.

[nkolev92]

@donnie-msft commented on Mon, 08 Jul 2024 22:11:11 GMT I also reproduced this with .NET SDK 8.0.400-preview.0.24324.5

[nkolev92]

@nkolev92 commented on Mon, 15 Jul 2024 20:36:56 GMT Team Triage: Since the replaying of the warnings is happening at build time as confirmed by both Donie and Viktor, we'll move this to the .NET SDK.

[dotnet-policy-service[bot]]

Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!

If you believe this issue was closed out of error, please comment to let us know.

Happy Coding!

[baronfel]

Reopening because the bot closed it aggressively.