maoo
commented
1 year ago Thanks @josspo ! As you can see above, the CVE Scanning for .NET action is failing:
Run dotnet build
MSBuild version 17.5.1+f[6](https://github.com/finos/security-scanning/actions/runs/5131101966/jobs/9230746131?pr=217#step:4:7)fdcf53[7](https://github.com/finos/security-scanning/actions/runs/5131101966/jobs/9230746131?pr=217#step:4:8) for .NET
Determining projects to restore...
/home/runner/work/security-scanning/security-scanning/dotnet/sample.csproj : error NU1605: Warning As Error: Detected package downgrade: Newtonsoft.Json from 13.0.1 to 12.0.3. Reference the package directly from the project to select a different version.
/home/runner/work/security-scanning/security-scanning/dotnet/sample.csproj : error NU1605: sample -> Microsoft.AspNetCore.Mvc.NewtonsoftJson 6.0.16 -> Newtonsoft.Json (>= 13.0.1)
/home/runner/work/security-scanning/security-scanning/dotnet/sample.csproj : error NU1605: sample -> Newtonsoft.Json (>= 12.0.3)
Failed to restore /home/runner/work/security-scanning/security-scanning/dotnet/sample.csproj (in 1.62 sec).
Build FAILED.You can check logs on https://github.com/finos/security-scanning/actions/runs/5131101966/jobs/9230746131?pr=217#step:4:1 ; the action definition can be found on https://github.com/finos/security-scanning/actions/runs/5131101966/workflow
As a general suggestion, every time that you prepare a branch for a Pull Request (or you just submit a new PR), check the status of Actions; if there is a red mark, it means that there's something to be fixed.
Try to reproduce the error in the GitHub Action; make sure that you're using the same dotnet version (I'd suggest you using Linux/docker instead of a Windows machine). we can discuss it further during the call on Thursday.
Downgrade Newtonsoft.json to 12.0.3 to get a vulnerability in the example