Make dotnet list package --vulnerable take the target framework into account

[cmeeren]

I did a scan using dotnet list package --vulnerable --include-transitive. I get the following:

Project `MyProject` has the following vulnerable packages
   [net6.0]:
   Transitive Package                    Resolved   Severity   Advisory URL
   > System.Net.Http                     4.3.0      High       https://github.com/advisories/GHSA-7jgj-8wvc-jh57

According to information linked from the advisory URL, this only affects some old .NET Core 1.x and 2.x runtimes. As you can see above, I'm using .NET 6. This false positive is therefore just noise that I have to filter out when scanning for vulnerable packages. This is particularly annoying when running on CI.

I could install the package directly to update it and get rid of the false positive, but with tens or hundreds of different projects with hundreds of transitive dependencies each, that won't scale. Another aspect is that this is a transitive dependency through NETStandard.Library (1.6.1 in my case), so I'm not sure if it should be updated at all. (NETStandard.Library is a dependency of Microsoft.IdentityModel.Clients.ActiveDirectory targeting netstandard1.3, which again is a dependency of Microsoft.Azure.Services.AppAuthentication, which is a dependency of dbup-sqlserver, which is a direct dependency of mine.)

[ghost]

Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!

If you believe this issue was closed out of error, please comment to let us know.

Happy Coding!