[browser][WBT] SignalRPassMessageWasmBrowser - NU1903 - System.Text.Json 8.0.0

[pavelsavara]

Log

Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser(config: "Debug", transport: "LongPolling") [FAIL]

       []   Restored C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\AspNetCoreServer\AspNetCoreServer.csproj (in 9.91 sec).
        [] C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\WasmBrowserClient\WasmBrowserClient.csproj : error NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w [C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\AspNetCoreServer\AspNetCoreServer.csproj]
        []   Restored C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\BlazorClient\BlazorClient.csproj (in 10.45 sec).
        []   Restored C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\WasmBrowserClient\WasmBrowserClient.csproj (in 493 ms).
        [] C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\Shared\Shared.csproj : error NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w [C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\AspNetCoreServer\AspNetCoreServer.csproj]
        []   Restored C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\Shared\Shared.csproj (in 5 ms).

Build Information

Build: https://dev.azure.com/dnceng-public/public/_build/results?buildId=737345
Build error leg or test failing:

Error Message

Fill the error message using step by step known issues guidance.

{
  "ErrorMessage": "NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability",
  "BuildRetry": false,
  "ExcludeConsoleLog": false
}

Known issue validation

Build: 🔎 https://dev.azure.com/dnceng-public/public/_build/results?buildId=737345
Error message validated: [NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability]
Result validation: ✅ Known issue matched with the provided build.
Validation performed at: 7/11/2024 4:23:34 PM UTC

Report

Build	Definition	Test	Pull Request
737660	dotnet/runtime	Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104577
736134	dotnet/runtime	Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104638
738762	dotnet/runtime	Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#103755
738708	dotnet/runtime	Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104683
738681	dotnet/runtime	Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104437
738661	dotnet/runtime	Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution
738535	dotnet/runtime	Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104750
738431	dotnet/runtime	Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104757
738133	dotnet/runtime	Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#103757
738356	dotnet/runtime	Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104764
738311	dotnet/runtime	Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104760
738295	dotnet/runtime	Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104758
738288	dotnet/runtime	Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104750
738193	dotnet/runtime	Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser
738246	dotnet/runtime	Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104753
738220	dotnet/runtime	Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104644
737629	dotnet/runtime	Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser	#103755
737568	dotnet/runtime	Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser	#100048
736603	dotnet/runtime	Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser	#104698
737703	dotnet/runtime	Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104683
737654	dotnet/runtime	Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104701
737354	dotnet/runtime	Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser	#104672
737155	dotnet/runtime	Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#102464
737345	dotnet/runtime	Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser	#104729
737493	dotnet/runtime	Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104733
737342	dotnet/runtime	Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser	#100056
737280	dotnet/runtime	Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser	#104730
736235	dotnet/runtime	Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution	#104685

Summary

24-Hour Hit Count	7-Day Hit Count	1-Month Count
0	27	28

[dotnet-policy-service]

Tagging subscribers to 'arch-wasm': @lewing
See info in area-owners.md if you want to be subscribed.

[ViktorHofer]

Note that this means that you are using the nuget.org feed somewhere which is unrelated but should be fixed as well. NU1903 is part of the NuGet Audit feature which only works with the nuget.org feed atm.

[ViktorHofer]

cc @lewing

[ViktorHofer]

Unfortunately, I don't know how these tests work. Can someone please file an issue for the nuget.org issue?

[ilonatommy]

In wbt we're populating nuget config here:

runtime/src/mono/wasm/Wasm.Build.Tests/Blazor/BlazorWasmTestBase.cs

Line 35 in f9eda07

File.WriteAllText(Path.Combine(_projectDir, "nuget.config"),

that produces:

  <packageSources>
    <clear />
    <add key="nuget-local" value="C:\Users\user\source\repos\runtime-fork\artifacts\packages\Debug\Shipping\" />
    <add key="dotnet8" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet8/nuget/v3/index.json" />
    <add key="dotnet9" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet9/nuget/v3/index.json" />
    <add key="nuget.org"  value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  </packageSources>

Do you mean we should remove <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />?

[ViktorHofer]

Yes. AFAIK using the nuget.org feed in our builds is disallowed for security reasons. cc @mmitche

[ajtruckle]

I can confirm that this package is using version 8.0.0:

• Microsoft.Exstensions.Configuration.Json.8.0.0

When will this be fixed?

[ViktorHofer]

Copied from a mail conversation:

.NET's policy is that we do not publish new intermediate packages for the sole purpose of updating a leaf dependency. This is instead an application-level concern. We rely on NuGet functionality to make updating leaf dependencies simple and painless.

We don't yet have that documented but we will follow-up on it.

[ajtruckle]

@ViktorHofer
I am not knowledgeable with this ..but let me get this in my head?

VS is telling me that this particular NuGet package is using a vulnerable assembly. So why do I have to fix this? Why do I have to manually download another top level dependency for what is currently translative? I don't understand the logic. Surely, something, somewhere is responsible for using a vulnerable version and it should be rectified. No? Otherwise the headache is put on our shoulders and technically, the issue is not with out code but the NuGet packages concerned.