Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build error with nuget audit #42073

Closed
WeihanLi opened this issue Jul 10, 2024 · 6 comments
Closed

build error with nuget audit #42073

WeihanLi opened this issue Jul 10, 2024 · 6 comments
Labels
Area-NuGet untriaged Request triage from a team member

Comments

@WeihanLi
Copy link
Contributor

WeihanLi commented Jul 10, 2024

Not sure if it's a bug or by design

Got an error when updating to .NET 9 Preview 6, I use <TreatWarningsAsErrors>true</TreatWarningsAsErrors> for my project

error NU1903: Warning As Error: Package 'System.Formats.Asn1' 6.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm

While I do not have a direct dependency on this package reference

my project is here:
https://github.com/WeihanLi/dotnet-exec/blob/61089e6cba8faa823c57654e321dedc6870a6ba1/src/ReferenceResolver/ReferenceResolver.csproj

Is this new behavior for transitive dependency? Is there a feature switch to disable?
Should I add the package dependency to override the version with vulnerability to fix this?
While I do not want to have this dependency maintained in my project, it may cause conflict when upgrading dependencies and may be confusing for the downstream users.

@dotnet-issue-labeler dotnet-issue-labeler bot added Area-NuGet untriaged Request triage from a team member labels Jul 10, 2024
@airzym
Copy link

airzym commented Jul 11, 2024

I'm also running into a similar issue.

The issue for the CVE states that the fix should be to update the SDK and runtime. However despite updating the SDK this hasn't resolved the issue for myself.

Im building my solution using SDK 8.0.7, and my vulnerability scanning is still flagging the following:

pkg:nuget/System.Formats.Asn1@8.0.0.0 (CVE-2024-38095)

I can see in the deps.json file the following:

"System.Formats.Asn1": "8.0.0.0"

Copy link
Contributor

Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!

If you believe this issue was closed out of error, please comment to let us know.

Happy Coding!

@WeihanLi
Copy link
Contributor Author

WeihanLi commented Jul 11, 2024

Could we transfer the issue to nuget instead of just closing

@baronfel
Copy link
Member

not easily, no - the NuGet repos are on a different GitHub organization, and GitHub only allows transfers across organizations.

@filzrev
Copy link

filzrev commented Jul 12, 2024

Is there a feature switch to disable?

On TreatWarningsAsErrors enabled environment.
It can be suppressed by adding following setting.

<WarningsNotAsErrors>$(WarningsNotAsErrors);NU1903</WarningsNotAsErrors>

I've confirmed dependencies with following command.

dotnet nuget why ReferenceResolver.csproj System.Formats.Asn1

And gets following results.

  [net6.0]
  [net8.0]
   │
   └─ NuGet.Protocol (v6.10.1)
      └─ NuGet.Packaging (v6.10.1)
         └─ System.Security.Cryptography.Pkcs (v6.0.4)
            └─ System.Formats.Asn1 (v6.0.0)

It seems transitive package reference is coming from System.Security.Cryptography.Pkcs (v6.0.4) package.
Until this package is updated.
It needs explicitly override System.Formats.Asn1 version. or need to suppress NU1903 warning.

@filzrev
Copy link

filzrev commented Jul 12, 2024

Is this new behavior for transitive dependency? Is there a feature switch to disable?

I've found document about behavior changes on .NET 9 Preview 6 release note.
https://github.com/dotnet/core/blob/main/release-notes/9.0/preview/preview6/sdk.md#nugetaudit-now-raises-warnings-for-vulnerabilities-in-transitive-dependencies

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area-NuGet untriaged Request triage from a team member
Projects
None yet
Development

No branches or pull requests

4 participants