Open dirkmueller opened 1 week ago
we are shipping 13.0.3 in net6, in this fix https://github.com/dotnet/installer/pull/19320/files we are rewriting the testhost.deps.json to reflect that. This is how the dll looks like in ilspy:
Where is the version 13.0.0.0.1 you mentioned coming from?
Where is the version 13.0.0.0.1 you mentioned coming from?
sorry, I meant 13.0.1 which is mentioned as the solution for the https://github.com/advisories/GHSA-5crp-9r3c-p9vr advisory.
I can still find the references in "dotnet-sdk-6.0-6.0.425-1.x86_64" which comes from packages.microsoft.com:
# grep -r Newtonsoft.Json/13.0.0.0 /usr/share/dotnet/sdk/6.0.425/
/usr/share/dotnet/sdk/6.0.425/testhost.deps.json: "Newtonsoft.Json/13.0.0.0": {
/usr/share/dotnet/sdk/6.0.425/testhost.deps.json: "Newtonsoft.Json/13.0.0.0": {
a user of us is running some security scanner which barfs on that.
Description
https://github.com/microsoft/vstest/blob/07acde22b65497e72de145d57167b83609a7f7fb/temp/testhost/testhost.deps.json#L18 and a few other places refer to Newtonsoft 13.0.0.0 which is affected by https://github.com/advisories/GHSA-5crp-9r3c-p9vr
suggest to upgrade to 13.0.0.0.1 everywhere to silence dependency security scanners.
Steps to reproduce
Scan dotnet sdk 6.0.425 release with a security scanner, which finds the vulnerable version referenced in
usr/share/dotnet/sdk/6.0.425/testhost.deps.json
Expected behavior
No security scanner warnings
Actual behavior
triggers on above security advisory
Environment
SUSE Linux Enterprise 15