Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[browser][WBT] SignalRPassMessageWasmBrowser - NU1903 - System.Text.Json 8.0.0 #104737

Closed
pavelsavara opened this issue Jul 11, 2024 · 9 comments · Fixed by #104751 or #104806
Closed

[browser][WBT] SignalRPassMessageWasmBrowser - NU1903 - System.Text.Json 8.0.0 #104737

pavelsavara opened this issue Jul 11, 2024 · 9 comments · Fixed by #104751 or #104806
Assignees
Labels
arch-wasm WebAssembly architecture area-System.Runtime.InteropServices.JavaScript blocking-clean-ci Blocking PR or rolling runs of 'runtime' or 'runtime-extra-platforms' Known Build Error Use this to report build issues in the .NET Helix tab os-browser Browser variant of arch-wasm
Milestone

Comments

@pavelsavara
Copy link
Member

pavelsavara commented Jul 11, 2024

Log

Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser(config: "Debug", transport: "LongPolling") [FAIL]

       []   Restored C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\AspNetCoreServer\AspNetCoreServer.csproj (in 9.91 sec).
        [] C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\WasmBrowserClient\WasmBrowserClient.csproj : error NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w [C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\AspNetCoreServer\AspNetCoreServer.csproj]
        []   Restored C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\BlazorClient\BlazorClient.csproj (in 10.45 sec).
        []   Restored C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\WasmBrowserClient\WasmBrowserClient.csproj (in 493 ms).
        [] C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\Shared\Shared.csproj : error NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w [C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\AspNetCoreServer\AspNetCoreServer.csproj]
        []   Restored C:\helix\work\workitem\e\wbt artifacts\SignalRClientTests_s1zeg3lf_gag\Shared\Shared.csproj (in 5 ms).

Build Information

Build: https://dev.azure.com/dnceng-public/public/_build/results?buildId=737345
Build error leg or test failing:

Error Message

Fill the error message using step by step known issues guidance.

{
  "ErrorMessage": "NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability",
  "BuildRetry": false,
  "ExcludeConsoleLog": false
}

Known issue validation

Build: 🔎 https://dev.azure.com/dnceng-public/public/_build/results?buildId=737345
Error message validated: [NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability]
Result validation: ✅ Known issue matched with the provided build.
Validation performed at: 7/11/2024 4:23:34 PM UTC

Report

Build Definition Test Pull Request
737660 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104577
736134 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104638
738762 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #103755
738708 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104683
738681 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104437
738661 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution
738535 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104750
738431 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104757
738133 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #103757
738356 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104764
738311 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104760
738295 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104758
738288 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104750
738193 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser
738246 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104753
738220 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104644
737629 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser #103755
737568 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser #100048
736603 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser #104698
737703 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104683
737654 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104701
737354 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser #104672
737155 dotnet/runtime Workloads-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #102464
737345 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser #104729
737493 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104733
737342 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser #100056
737280 dotnet/runtime Wasm.Build.Tests.AspNetCore.SignalRClientTests.SignalRPassMessageWasmBrowser #104730
736235 dotnet/runtime Workloads-NoWebcil-ST-Wasm.Build.Tests.AspNetCore.SignalRClientTests.WorkItemExecution #104685

Summary

24-Hour Hit Count 7-Day Hit Count 1-Month Count
0 27 28
@pavelsavara pavelsavara added arch-wasm WebAssembly architecture blocking-clean-ci Blocking PR or rolling runs of 'runtime' or 'runtime-extra-platforms' area-System.Runtime.InteropServices.JavaScript Known Build Error Use this to report build issues in the .NET Helix tab os-browser Browser variant of arch-wasm labels Jul 11, 2024
@pavelsavara pavelsavara added this to the 9.0.0 milestone Jul 11, 2024
Copy link
Contributor

Tagging subscribers to 'arch-wasm': @lewing
See info in area-owners.md if you want to be subscribed.

@pavelsavara pavelsavara changed the title [browser][WBT] NU1903 - System.Text.Json 8.0.0 [browser][WBT] SignalRPassMessageWasmBrowser - NU1903 - System.Text.Json 8.0.0 Jul 11, 2024
@ViktorHofer
Copy link
Member

ViktorHofer commented Jul 11, 2024

Note that this means that you are using the nuget.org feed somewhere which is unrelated but should be fixed as well. NU1903 is part of the NuGet Audit feature which only works with the nuget.org feed atm.

@ViktorHofer
Copy link
Member

cc @lewing

@ViktorHofer
Copy link
Member

Unfortunately, I don't know how these tests work. Can someone please file an issue for the nuget.org issue?

@pavelsavara pavelsavara reopened this Jul 12, 2024
@ilonatommy
Copy link
Member

In wbt we're populating nuget config here:

File.WriteAllText(Path.Combine(_projectDir, "nuget.config"),

that produces:

  <packageSources>
    <clear />
    <add key="nuget-local" value="C:\Users\user\source\repos\runtime-fork\artifacts\packages\Debug\Shipping\" />
    <add key="dotnet8" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet8/nuget/v3/index.json" />
    <add key="dotnet9" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet9/nuget/v3/index.json" />
    <add key="nuget.org"  value="https://api.nuget.org/v3/index.json" protocolVersion="3" />
  </packageSources>

Do you mean we should remove <add key="nuget.org" value="https://api.nuget.org/v3/index.json" protocolVersion="3" />?

@ViktorHofer
Copy link
Member

Yes. AFAIK using the nuget.org feed in our builds is disallowed for security reasons. cc @mmitche

@ajtruckle
Copy link

ajtruckle commented Jul 16, 2024

image

I can confirm that this package is using version 8.0.0:

  • Microsoft.Exstensions.Configuration.Json.8.0.0

image

When will this be fixed?

@ViktorHofer
Copy link
Member

ViktorHofer commented Jul 16, 2024

Copied from a mail conversation:

.NET's policy is that we do not publish new intermediate packages for the sole purpose of updating a leaf dependency. This is instead an application-level concern. We rely on NuGet functionality to make updating leaf dependencies simple and painless.

We don't yet have that documented but we will follow-up on it.

@ajtruckle
Copy link

@ViktorHofer
I am not knowledgeable with this ..but let me get this in my head?

VS is telling me that this particular NuGet package is using a vulnerable assembly. So why do I have to fix this? Why do I have to manually download another top level dependency for what is currently translative? I don't understand the logic. Surely, something, somewhere is responsible for using a vulnerable version and it should be rectified. No? Otherwise the headache is put on our shoulders and technically, the issue is not with out code but the NuGet packages concerned.

@github-actions github-actions bot locked and limited conversation to collaborators Aug 17, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
arch-wasm WebAssembly architecture area-System.Runtime.InteropServices.JavaScript blocking-clean-ci Blocking PR or rolling runs of 'runtime' or 'runtime-extra-platforms' Known Build Error Use this to report build issues in the .NET Helix tab os-browser Browser variant of arch-wasm
Projects
None yet
4 participants