[Bug] Security warning/errors when restoring on net9preview

[nickrandolph]

Current behavior

Create new application using any of the template options
Update global.json to allow prerelease versions
Run dotnet restore

C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-5f2m-466j-3848
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1902: Package 'System.Private.Uri' 4.3.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-x5qj-9vmx-7g6g
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-xhfc-gr8f-ffwc
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w

Expected behavior

No security warnings/errors

How to reproduce it (as minimally and precisely as possible)

No response

Workaround

No response

Works on UWP/WinUI

None

Environment

No response

NuGet package version(s)

No response

Affected platforms

No response

IDE

No response

IDE version

No response

Relevant plugins

No response

Anything else we need to know?

No response

[Youssef1313]

These are false positives from NuGet. NuGet/Home#13622

[Youssef1313]

The possible options:

1. <NuGetAuditMode>direct</NuGetAuditMode>: If we go this way, it should be only during .NET 9 previews. Once stable, we shouldn't do this. I mean, it could just be a temporary easy workaround until we see if NuGet will fix things up on their side.
2. NuGetAuditSuppress MSBuild item: we could do this to specify specific advisories where we are sure it's a false positive.
3. Add direct PackageReference with non-vulnerable versions to silence NuGet warnings.

[Youssef1313]

The NuGet issue will not be fixed in .NET 9 stable

[Youssef1313]

@jeromelaban Do you have a preference on what we should do here?

[jeromelaban]

There's no good way for fixing this. All modes are causing trouble. We'll need to fix this in multiple locations, or workaround in multiple locations and this is going to either be a security risk, or very verbose change to the default templates.

[MrYossu]

.NET9 now in general release and this error swamps the output. I'm getting this...

warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability

What should we do about it? The description for that package on Nuget explicitly says not to reference it directly.

Please advise what we are supposed to do. Thanks.

[jeromelaban]

Please advise what we are supposed to do. Thanks.

At this time, the only possible option is to explicitly install those packages in your app. We're working to determine which dependencies are pulling those references in order to avoid these errors in the templates.

[MrYossu]

@jeromelaban OK, thanks. Just seems wrong to install packages you aren't directly using, especially ones whose descriptions say they aren't meant for direct use, just to avoid spurious warnings.

[jeromelaban]

Looking further into this issue, this is only happening on net8.0*, where Uno depends on the following packages:

• System.Numerics.Vectors
• System.Runtime.InteropServices.WindowsRuntime
• System.Memory
• System.Collections.Immutable

Those dependencies have been removed in Uno for net9.0 where the warnings do not show up anymore. We will not be changing net8.0 dependencies to avoid introducing unnecessary breaking changes.

To fix this behavior, there are three possible paths:

• Update your projects to net9.0
• Force an 8.0.x sdk version in global.json, and disable the version roll forward
• Force an explicit reference to the offending packages to their non-vulnerable versions

Note that the new dotnet nuget why command does not help for some packages like System.Private.Uri because of NuGet/Home#13718.

[MrYossu]

@jeromelaban Sorry to argue, but this is happening to me on a brand new .net9 solution (ie not upgraded from .net8) where there is a dependency on System.Private.Uri

[jeromelaban]

@MrYossu could you provide the settings you used to create your solution? As well as a binlog?

[MrYossu]

@jeromelaban Not sure what you mean by settings, but I just realised why you mentioned Uno earlier. I came to this discussion from Google, and didn't spot that it's on the Uno repo. I had been reading so many on the dotnet repo and thought this was another!

I'm not using Uno, and so my comments here are probably irrelevant. As far as I can see, the problem is an underlying .NET/VS issue, so should be discussed in a repo more relevant.

Sorry for the confusion!

[jeromelaban]

No problem, thanks for the update. You may want to start a discussion with the package owners that you use in your solution.

[DevTKSS]

@jeromelaban I did made just the same (created a new uno app) like he told, after the new .net version came out and got greeted with issues... so when creating that one from scratch new, that issue should not happen? Because I did it with different settings and seems like its mainly the apps with server or mauiembedding choosen on my side.
its the refit and the maui which seems to be pointing to the 9.0-rc instead of 9.0 full release. created with the wizard in vs 2022 community edition
setup: blanc, xaml, mvux, Navigation, configuration, http, server, maui embedded, material, theme, dsp, debugging: default, auth: custom

hope I got all of the config and it will help you

[jeromelaban]

@DevTKSS we're still updating the bits for net9 stable, it should be updated soon.

[DevTKSS]

@jeromelaban thank you 👍 just wanted to make sure you know about them. I am not hurrying. Take the time you need for great things :)