Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NuGet client (via dotnet SDK) incorrectly warns about vulnerable NuGet packages hoisted by the shared runtime #13751

Closed
halter73 opened this issue Aug 29, 2024 · 4 comments
Closed

NuGet client (via dotnet SDK) incorrectly warns about vulnerable NuGet packages hoisted by the shared runtime #13751

halter73 opened this issue Aug 29, 2024 · 4 comments
Labels
Area:NuGetAudit Functionality:Restore Type:Feature

Comments

@halter73
Copy link

I originally filed this issue against the dotnet SDK dotnet/sdk#43063, but the bot asked me to post this here. I'm not sure how much visibility NuGet has into what packages are hoisted by the shared runtime, but the issue is as follows:

Describe the bug

If you add a PackageReference to a project pointing to a vulnerable package version, dotnet commands like restore, build, run, and list package --vulnerable --include-transitive will report inaccurate vulnerability warnings for packages that are hoisted to a newer, non-vulnerable version by the shared runtime.

In my repro project at https://github.com/halter73/NuGetVulnerabilityFalsePositive, I demonstrate this with a direct PackageReference to System.Text.Json 8.0.3, but the problem persists for transitive references which is harder to work around.

In the case of transitive dependencies, you cannot avoid the issue by simply removing the PackageReference. Instead, developers are forced to directly reference the packages that are falsely reported as vulnerable to get rid of warnings. This is demonstrated by dotnet/aspnetcore#57560 which tries to update the ASP.NET Core project templates so they do not produce NuGet vulnerability warnings. We would rather not be forced to reference packages that are part of the shared runtime.

To Reproduce

Exceptions (if any)

PS C:\dev\temp\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive> dotnet run
C:\dev\temp\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive.csproj : wa
rning NU1903: Package 'System.Text.Json' 8.0.3 has a known high severity vulnerability, https://github.com/advisories/G
HSA-hh2w-p6rv-4g7w
C:\dev\temp\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive.csproj : wa
rning NU1903: Package 'System.Text.Json' 8.0.3 has a known high severity vulnerability, https://github.com/advisories/G
HSA-hh2w-p6rv-4g7w

{"systemTextJsonPath":"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\8.0.8\\System.Text.Json.dll"}

Further technical details

dotnet --info (expand for details) 
.NET SDK:
 Version:           8.0.401
 Commit:            811edcc344
 Workload version:  8.0.400-manifests.dd15fcf9
 MSBuild version:   17.11.4+37eb419ad

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.22631
 OS Platform: Windows
 RID:         win-x64
 Base Path:   C:\Program Files\dotnet\sdk\8.0.401\

.NET workloads installed:
Configured to use loose manifests when installing new manifests.
 [wasm-tools]
   Installation Source: VS 17.12.35214.114
   Manifest Version:    8.0.8/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.workload.mono.toolchain.current\8.0.8\WorkloadManifest.json
   Install Type:        FileBased

 [aspire]
   Installation Source: VS 17.12.35227.331
   Manifest Version:    8.1.0/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.aspire\8.1.0\WorkloadManifest.json
   Install Type:        FileBased

Host:
  Version:      9.0.0-preview.7.24405.7
  Architecture: x64
  Commit:       static

.NET SDKs installed:
  7.0.200 [C:\Program Files\dotnet\sdk]
  8.0.304 [C:\Program Files\dotnet\sdk]
  8.0.401 [C:\Program Files\dotnet\sdk]
  9.0.100-preview.7.24407.12 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 6.0.32 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 7.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.0-preview.7.24406.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 6.0.32 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 6.0.33 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 7.0.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.0-preview.7.24405.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 6.0.32 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 6.0.33 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 7.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 8.0.7 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 9.0.0-preview.7.24405.2 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Other architectures found:
  x86   [C:\Program Files (x86)\dotnet]
    registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]

Environment variables:
  Not set

global.json file:
  C:\dev\temp\NuGetVulnerabilityFalsePositive\global.json

VS Version: 17.12.0 Preview 2.0 [35227.331.main]

VS Vulnerability Warning

@Tragetaschen commented on the original issue pointing out the following.

I can see a myriad of warnings in our codebase, but not with 8.0.401, only with the preview bits. Basically everywhere

    …csproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm
    …csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w

Those packages are not referenced explicitly and we are building for 8.0.8.

.NET SDK:
 Version:           9.0.100-preview.7.24407.12
 Commit:            d672b8a045
 Workload version:  9.0.100-manifests.baed1e37
 MSBuild version:   17.12.0-preview-24374-02+48e81c6f1

Neither 8.0.401 nor 9.0.100-… show a vulnerability when running dotnet list package --include-transitive --vulnerable

As you can see from my repro above, this bug does present itself even with 8.0.401 SDK specified in the global.json. The host version is 9.0.100-preview.7.24407.12, so that might have something to do with it.

I almost pointed to dotnet/runtime#106172 being related, because that is proximate cause for the System.Text.Json warning to show up in the RC1 ASP.NET Core project templates but not the preview7 one, but RC1 hasn't been released yet unless you're using https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet9/nuget/v3/index.json as a package feed. So, I think this regression probably does have something to do with the host version.
@halter73
Copy link
Author

After finding some better search terms (basically looking for anything referencing "dotnet list package --vulnerable"), I found the following related issues:

This can probably be closed as a dupe of one of them.

@nkolev92
Copy link
Member

#7344 is the best dup, since it talks about removing packages from the package completely.

@nkolev92 nkolev92 closed this as not planned Won't fix, can't repro, duplicate, stale Aug 29, 2024
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

no assignees Issue is missing Type label, remember to add a Type label

@dotnet-policy-service dotnet-policy-service bot added the missing-required-type The required type label is missing. label Aug 29, 2024
@nkolev92
Copy link
Member

Some quick clarifications on what Supplied by platform can/cannot do.

  • It targets scenarios where there's a package in the project graph, if there's no package, nothing changes.
  • There'll be some logic to figure out which packages are newer in the runtime that would potentially be used based on what that particular SDK knows.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area:NuGetAudit Functionality:Restore Type:Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@halter73 @nkolev92