NuGet package is dependent on version 1.0.2 of Microsoft.AspNetCore.Hosting with known security vulnerabilities

[alesgn]

Describe your environment.

• SDK version: 2.3.0
• .NET runtime version (.NET or .NET Core, TargetFramework in the .csproj file): .NET 5
• Hosting Info (IIS/Azure WebApps/etc): Azure WebApps

Steps to reproduce. Add ApplicationInsights-Profiler-AspNetCore reference to your project. Look at transitive dependencies.

What is the expected behavior? Reference to version of Microsoft.AspNetCore.Hosting without known security vulnerabilities (maybe latest from 2.1.x ?)

What is the actual behavior? Reference to Microsoft.AspNetCore.Hosting 1.0.2 which is a version with security vulnerabilities.

Additional context. Version 1.0.2 of Microsoft.AspNetCore.Hosting package gets reported by security scanners (i.e. Whitesource Bolt) as vulnerability in the project, so it should be patched.

[xiaomi7732]

I am a bit confused about the scanning result.

I tried it on .NET Core 3.1 / 5.0, .NET core cli isn't reporting any vulnerable package:

For example, on a .NET Core 3.1 project:

dotnet list .\Profiler31\Profiler31.csproj package --vulnerable --include-transitive

The following sources were used:
   https://api.nuget.org/v3/index.json

The given project `Profiler31` has no vulnerable packages given the current sources.

Although, the version of Microsoft.AspNetCore.Hosting is 1.0.2.

PS D:\Demo> dotnet list .\Profiler31\Profiler31.csproj package --include-transitive
Project 'Profiler31' has the following package references
   [netcoreapp3.1]:
   Top-level Package                                        Requested   Resolved
   > Microsoft.ApplicationInsights.Profiler.AspNetCore      2.3.0       2.3.0

   Transitive Package                                                                   Resolved
   > Azure.Core                                                                         1.14.0
   > Azure.Identity                                                                     1.4.0
   > CommandLineParser                                                                  2.8.0
   > Microsoft.ApplicationInsights                                                      2.12.0
   > Microsoft.ApplicationInsights.AspNetCore                                           2.12.0
   > Microsoft.ApplicationInsights.DependencyCollector                                  2.12.0
   > Microsoft.ApplicationInsights.EventCounterCollector                                2.12.0
   > Microsoft.ApplicationInsights.PerfCounterCollector                                 2.12.0
   > Microsoft.ApplicationInsights.Profiler.Core                                        2.3.0
   > Microsoft.ApplicationInsights.WindowsServer                                        2.12.0
   > Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel                       2.12.0
   > Microsoft.AspNetCore.Hosting                                                       1.0.2
   > Microsoft.AspNetCore.Hosting.Abstractions                                          2.1.0
   > Microsoft.AspNetCore.Hosting.Server.Abstractions                                   2.1.0
   > Microsoft.AspNetCore.Http                                                          1.0.2
   > Microsoft.AspNetCore.Http.Abstractions                                             2.1.0
   > Microsoft.AspNetCore.Http.Extensions                                               1.0.2
   > Microsoft.AspNetCore.Http.Features                                                 2.1.0
   > Microsoft.AspNetCore.WebUtilities                                                  1.0.2
   > Microsoft.Bcl.AsyncInterfaces                                                      1.0.0
...

@alesgn how were you getting the scanning results?

[xiaomi7732]

New info: I believe this is the underline package that causes trouble Microsoft.AspNetCore.Http, which is referenced by Microsoft.AspNetCore.Hosting.

[xiaomi7732]

This should have been addressed in 2.4.0-beta1. Compare the dependency tree for before/after: