Syft reports the "minimum required version" of .NET assemblies rather than the "assembly version"

[kaniini]

What happened:

We have been investigating the appearance of a few GHSA advisories when scanning the cgr.dev/chainguard/dotnet-sdk:7 image. This image contains the .NET 7.0.105 SDK, built and targeted for Wolfi, which is the latest released version.

When scanning this image, we get:

 ✔ Vulnerability DB        [no update available]
 ✔ Parsed image
 ✔ Cataloged packages      [1230 packages]
 ✔ Scanning image...       [6 vulnerabilities]
   ├── 0 critical, 6 high, 0 medium, 0 low, 0 negligible
   └── 6 fixed
NAME                            INSTALLED  FIXED-IN  TYPE    VULNERABILITY        SEVERITY
System.Net.Http                 4.3.0      4.3.4     dotnet  GHSA-7jgj-8wvc-jh57  High
System.Text.RegularExpressions  4.3.0      4.3.1     dotnet  GHSA-cmhx-cq75-c4mj  High

Both of these GHSA vulnerabilities were addressed in 2019.

The 4.3.0 is interesting. Why is that happening? Syft reports that it picked up that errant System.Net.Http assembly from parsing /usr/share/dotnet/sdk/7.0.105/DotnetTools/dotnet-format/dotnet-format.deps.json. But what is the real version of System.Net.Http? For that, we can reach into Powershell. Yes, I know, forgive me:

PS /> $Assembly = [Reflection.Assembly]::LoadFile("/usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.5/System.Net.Http.dll")
PS /> $Assembly.GetName().Version

Major  Minor  Build  Revision
-----  -----  -----  --------
7      0      0      0

As we can see, the version of System.Net.Http that is actually present is 7.0.0.0, not 4.3.0. But what does the 4.3.0 mean? Well, it turns out that the versions in those JSON files are the compatibility versions, or in other words, "I need at least 4.3.0 of this assembly or later."

What you expected to happen:

Syft to report version 7.0.0.0 for the System.Net.Http assembly, not version 4.3.0.

Steps to reproduce the issue:

Run syft on any image containing a .NET SDK.

Anything else we need to know?:

Not really.

Environment:

• Output of syft version:

Application:        syft
Version:            0.80.0
JsonSchemaVersion:  7.1.5
BuildDate:          [not provided]
GitCommit:          [not provided]
GitDescription:     [not provided]
Platform:           linux/amd64
GoVersion:          go1.20.4
Compiler:           gc

• OS (e.g: cat /etc/os-release or similar):

NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.18_alpha20230329
PRETTY_NAME="Alpine Linux edge"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"

[kzantow]

Thanks @kaniini -- it looks like you might be right that we're using the nuget JSON files a bit incorrectly. We'll add this to the backlog to see how it can be improved 👍