search

dotnet / sdk

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI
https://dot.net/core
MIT License
2.66k stars 1.06k forks source link

SDK commands like `restore` `build` and `list` incorrectly warn about vulnerable NuGet packages hoisted by the shared runtime #43063

Closed halter73 closed 2 weeks ago

halter73 commented 2 weeks ago

Describe the bug

If you add a PackageReference to a project pointing to a vulnerable package version, dotnet commands like dotnet build and dotnet list package --vulnerable --include-transitive will report inaccurate vulnerability warnings for packages that are hoisted to a newer, non-vulnerable version by the shared runtime.

In my repro project at https://github.com/halter73/NuGetVulnerabilityFalsePositive, I demonstrate this with a direct PackageReference to System.Text.Json 8.0.3, but the problem persists for transitive references which is harder to work around.

In the case of transitive dependencies, you cannot avoid the issue by simply removing the PackageReference. Instead, developers are forced to directly reference the packages that are falsely reported as vulnerable to get rid of warnings. This is demonstrated by https://github.com/dotnet/aspnetcore/pull/57560 which tries to update the ASP.NET Core project templates so they do not produce NuGet vulnerability warnings. We would rather not be forced to reference packages that are part of the shared runtime.

To Reproduce

Exceptions (if any)

PS C:\dev\temp\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive> dotnet run
C:\dev\temp\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive.csproj : wa
rning NU1903: Package 'System.Text.Json' 8.0.3 has a known high severity vulnerability, https://github.com/advisories/G
HSA-hh2w-p6rv-4g7w
C:\dev\temp\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive.csproj : wa
rning NU1903: Package 'System.Text.Json' 8.0.3 has a known high severity vulnerability, https://github.com/advisories/G
HSA-hh2w-p6rv-4g7w

{"systemTextJsonPath":"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\8.0.8\\System.Text.Json.dll"}

Further technical details

PS C:\dev\temp\NuGetVulnerabilityFalsePositive> dotnet --info
.NET SDK:
 Version:           8.0.401
 Commit:            811edcc344
 Workload version:  8.0.400-manifests.dd15fcf9
 MSBuild version:   17.11.4+37eb419ad

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.22631
 OS Platform: Windows
 RID:         win-x64
 Base Path:   C:\Program Files\dotnet\sdk\8.0.401\

.NET workloads installed:
Configured to use loose manifests when installing new manifests.
 [wasm-tools]
   Installation Source: VS 17.12.35214.114
   Manifest Version:    8.0.8/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.workload.mono.toolchain.current\8.0.8\WorkloadManifest.json
   Install Type:        FileBased

 [aspire]
   Installation Source: VS 17.12.35227.331
   Manifest Version:    8.1.0/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.aspire\8.1.0\WorkloadManifest.json
   Install Type:        FileBased

Host:
  Version:      9.0.0-preview.7.24405.7
  Architecture: x64
  Commit:       static

.NET SDKs installed:
  8.0.401 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Other architectures found:
  x86   [C:\Program Files (x86)\dotnet]
    registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]

Environment variables:
  Not set

global.json file:
  C:\dev\temp\NuGetVulnerabilityFalsePositive\global.json

17.12.0 Preview 2.0 [35227.331.main]

image

Tragetaschen commented 2 weeks ago

I can see a myriad of warnings in our codebase, but not with 8.0.401, only with the preview bits. Basically everywhere

    …csproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm
    …csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w

Those packages are not referenced explicitly and we are building for 8.0.8.

.NET SDK:
 Version:           9.0.100-preview.7.24407.12
 Commit:            d672b8a045
 Workload version:  9.0.100-manifests.baed1e37
 MSBuild version:   17.12.0-preview-24374-02+48e81c6f1

Neither 8.0.401 nor 9.0.100-… show a vulnerability when running dotnet list package --include-transitive --vulnerable

dotnet-policy-service[bot] commented 2 weeks ago

Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!

If you believe this issue was closed out of error, please comment to let us know.

Happy Coding!