[Feature]: Make dotnet list package --vulnerable take the target framework into account

[cmeeren]

NuGet Product(s) Involved

dotnet.exe

The Elevator Pitch

(Sent here from dotnet/sdk#24193)

I did a scan using dotnet list package --vulnerable --include-transitive. I get the following:

Project `MyProject` has the following vulnerable packages
   [net6.0]:
   Transitive Package                    Resolved   Severity   Advisory URL
   > System.Net.Http                     4.3.0      High       https://github.com/advisories/GHSA-7jgj-8wvc-jh57

According to information linked from the advisory URL, this only affects some old .NET Core 1.x and 2.x runtimes. As you can see above, I'm using .NET 6. This false positive is therefore just noise that I have to filter out when scanning for vulnerable packages. This is particularly annoying when running on CI.

I could install the package directly to update it and get rid of the false positive, but with tens or hundreds of different projects with hundreds of transitive dependencies each, that won't scale. Another aspect is that this is a transitive dependency through NETStandard.Library (1.6.1 in my case), so I'm not sure if it should be updated at all. (NETStandard.Library is a dependency of Microsoft.IdentityModel.Clients.ActiveDirectory targeting netstandard1.3, which again is a dependency of Microsoft.Azure.Services.AppAuthentication, which is a dependency of dbup-sqlserver, which is a direct dependency of mine.)

Additional Context and Details

No response

[erdembayar]

Thank you for filing this issue.
I can repro this. 1 solution could be upgrading System.Net.Http to latest 4.3.4 make warning disappear, not sure if there is any constraint preventing this.

[cmeeren]

I mention that as a solution in the paragraph, but it's not good solution for reasons I describe in this discussion I also posted here today.

[JonDouglas]

There doesn't exist any field nor tooling to do this. It is a false positive but something we don't have much control over right now. I can talk to GitHub to see if we can add something like this in the future.

It is best practice to regularly audit your dependencies and be on newer versions as time passes. While .NET may have a bias towards lowest applicable version, it puts you in a position where a future disclosed vulnerability may force you to update anyway. On the other end, updating always to the latest is subject to any active supply chain attacks.

Ideally you should be on a recent version or even the latest version that is pinned and doesn't automatically update.

[cmeeren]

There doesn't exist any field nor tooling to do this. It is a false positive but something we don't have much control over right now. I can talk to GitHub to see if we can add something like this in the future.

That would be great. What does GitHub have to do with this, though? Isn't this something that would be good to have support for directly in dotnet list package, which I assume is not specifically related to GitHub?

On the other end, updating always to the latest is subject to any active supply chain attacks.

That is a perspective I hadn't considered. I'll respond to this and the rest of your comment in #11787 (reply in thread).

[JonDouglas]

@cmeeren We use the GitHub Advisory database as noted by your example advisory url.

Many CVE/GHSA do not contain any informational fields such as an affected target framework, programming language version, runtime, and more. The only thing available is the description and package versions today which isn't enough to decipher. If we can better classify the advisories, then we could in theory build this feature.

While some advisories do have custom fields, we would need a standard field that the larger process follows and is exposed via the advisory API.

[JonDouglas]

For transparency sake, I did talk to the GitHub Advisory team and mentioned this ask. They have heard similar across other ecosystems and it may be worth providing community feedback to their issue trackers:

https://github.com/community/community#product-feedback

[omghb]

I see the same false positive results:

[net6.0]:
   Transitive Package                      Resolved   Severity   Advisory URL
   > System.Drawing.Common                 5.0.0      Critical   https://github.com/advisories/GHSA-rxg9-xrhp-64gj
   > System.Security.Cryptography.Xml      5.0.0      Moderate   https://github.com/advisories/GHSA-2m65-m22p-9wjw

It detects correctly that the project targets net6.0. Both listed packages are part of net6.0 and so they are used in version 6.0.0 or higher.

• System.Drawing.Common - affected versions: >= 5.0.0, < 5.0.3 => false positive
• System.Security.Cryptography.Xml - affected versions: >= 5.0.0, < 6.0.1 => this is more tricky. We use .NET 6.0.16 but this information might not be available here.