Closed halter73 closed 2 weeks ago
I can see a myriad of warnings in our codebase, but not with 8.0.401
, only with the preview bits. Basically everywhere
…csproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm
…csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
Those packages are not referenced explicitly and we are building for 8.0.8.
.NET SDK:
Version: 9.0.100-preview.7.24407.12
Commit: d672b8a045
Workload version: 9.0.100-manifests.baed1e37
MSBuild version: 17.12.0-preview-24374-02+48e81c6f1
Neither 8.0.401
nor 9.0.100-…
show a vulnerability when running dotnet list package --include-transitive --vulnerable
Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!
If you believe this issue was closed out of error, please comment to let us know.
Happy Coding!
Describe the bug
If you add a PackageReference to a project pointing to a vulnerable package version,
dotnet
commands likedotnet build
anddotnet list package --vulnerable --include-transitive
will report inaccurate vulnerability warnings for packages that are hoisted to a newer, non-vulnerable version by the shared runtime.In my repro project at https://github.com/halter73/NuGetVulnerabilityFalsePositive, I demonstrate this with a direct PackageReference to System.Text.Json 8.0.3, but the problem persists for transitive references which is harder to work around.
In the case of transitive dependencies, you cannot avoid the issue by simply removing the PackageReference. Instead, developers are forced to directly reference the packages that are falsely reported as vulnerable to get rid of warnings. This is demonstrated by https://github.com/dotnet/aspnetcore/pull/57560 which tries to update the ASP.NET Core project templates so they do not produce NuGet vulnerability warnings. We would rather not be forced to reference packages that are part of the shared runtime.
To Reproduce
dotnet build
Exceptions (if any)
Further technical details
dotnet --info
17.12.0 Preview 2.0 [35227.331.main]