Closed alesgn closed 2 years ago
I am a bit confused about the scanning result.
I tried it on .NET Core 3.1 / 5.0, .NET core cli isn't reporting any vulnerable package:
For example, on a .NET Core 3.1 project:
dotnet list .\Profiler31\Profiler31.csproj package --vulnerable --include-transitive
The following sources were used:
https://api.nuget.org/v3/index.json
The given project `Profiler31` has no vulnerable packages given the current sources.
Although, the version of Microsoft.AspNetCore.Hosting is 1.0.2.
PS D:\Demo> dotnet list .\Profiler31\Profiler31.csproj package --include-transitive
Project 'Profiler31' has the following package references
[netcoreapp3.1]:
Top-level Package Requested Resolved
> Microsoft.ApplicationInsights.Profiler.AspNetCore 2.3.0 2.3.0
Transitive Package Resolved
> Azure.Core 1.14.0
> Azure.Identity 1.4.0
> CommandLineParser 2.8.0
> Microsoft.ApplicationInsights 2.12.0
> Microsoft.ApplicationInsights.AspNetCore 2.12.0
> Microsoft.ApplicationInsights.DependencyCollector 2.12.0
> Microsoft.ApplicationInsights.EventCounterCollector 2.12.0
> Microsoft.ApplicationInsights.PerfCounterCollector 2.12.0
> Microsoft.ApplicationInsights.Profiler.Core 2.3.0
> Microsoft.ApplicationInsights.WindowsServer 2.12.0
> Microsoft.ApplicationInsights.WindowsServer.TelemetryChannel 2.12.0
> Microsoft.AspNetCore.Hosting 1.0.2
> Microsoft.AspNetCore.Hosting.Abstractions 2.1.0
> Microsoft.AspNetCore.Hosting.Server.Abstractions 2.1.0
> Microsoft.AspNetCore.Http 1.0.2
> Microsoft.AspNetCore.Http.Abstractions 2.1.0
> Microsoft.AspNetCore.Http.Extensions 1.0.2
> Microsoft.AspNetCore.Http.Features 2.1.0
> Microsoft.AspNetCore.WebUtilities 1.0.2
> Microsoft.Bcl.AsyncInterfaces 1.0.0
...
@alesgn how were you getting the scanning results?
New info: I believe this is the underline package that causes trouble Microsoft.AspNetCore.Http
, which is referenced by Microsoft.AspNetCore.Hosting
.
This should have been addressed in 2.4.0-beta1. Compare the dependency tree for before/after:
Describe your environment.
Steps to reproduce. Add ApplicationInsights-Profiler-AspNetCore reference to your project. Look at transitive dependencies.
What is the expected behavior? Reference to version of Microsoft.AspNetCore.Hosting without known security vulnerabilities (maybe latest from 2.1.x ?)
What is the actual behavior? Reference to Microsoft.AspNetCore.Hosting 1.0.2 which is a version with security vulnerabilities.
Additional context. Version 1.0.2 of Microsoft.AspNetCore.Hosting package gets reported by security scanners (i.e. Whitesource Bolt) as vulnerability in the project, so it should be patched.