DevAudit reports vulnerability on Nuget package for lower vulnerable version not in csproj file.

[bp4151]

This is interesting.

I set up a test DotNetCore project with a non-vulnerable version of Log4Net (20.0.12). When I run DevAudit against that csproj file, I get the following message in the console:

[2/45] log4net 2.0.9 1 known vulnerability, 0 affecting installed package version(s).

I also get the following in the output

"Package": { "pm": "nuget", "group": null, "name": "log4net", "version": "2.0.9", "vendor": null }, "Vulnerabilities": [{ "id": "c4ac70fa-d3ce-4153-b4e9-e1a9d193be8c", "title": "[CVE-2018-1285] Apache log4net before 2.0.8 does not disable XML external entities when parsing ...", "description": "Apache log4net before 2.0.8 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.", "cvssScore": "9.8", "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cwe": null, "reference": "https://ossindex.sonatype.org/vulnerability/c4ac70fa-d3ce-4153-b4e9-e1a9d193be8c?component-type=nuget&component-name=log4net&utm_source=devaudit&utm_medium=integration&utm_content=3.4" } ]

It looks like it's reporting the lower version vulnerability even though the version in the project is not vulnerable. I included my csproj file and output.

sca_dotnet_test.zip

Running log4net 20.0.12 directly against the OssIndex API returns the expected result. [ { "coordinates": "pkg:nuget/log4net@20.0.12", "description": "log4net is a tool to help the programmer output log statements to a variety of output targets. log4net is a port of the excellent log4j framework to the .NET runtime", "reference": "https://ossindex.sonatype.org/component/pkg:nuget/log4net@20.0.12?utm_source=mozilla&utm_medium=integration&utm_content=5.0", "vulnerabilities": [] } ]

[bp4151]

Non-issue. I didn't see --no-cache in the options list. Using that switch appears to handle the issue.