We run dotnet list <Solution>.sln package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.json nightly on our CI server to check wether we have a dependency on any vulnerable packages.
As of last tuesday, this fails due to CVE-2024-30105 and CVE-2024-38095.
Both of the vulnerable libraries (System.Text.Json and System.Formats.Asn1) are runtime libraries so we dont explicitly reference them as a Nuget Package. In fact we don't even use System.Formats.Asn1 at all (its usage appears to be transitive via Microsoft.Extensions.Configuration.Xml)
I was under the impression that all we had to do was to update the runtime on our CI server and instruct our customer to do the same on their machines.
So we did the former but we still get
Project `------------------` has the following vulnerable packages
[net8.0]:
Transitive Package Resolved Severity Advisory URL
> System.Formats.Asn1 8.0.0 High https://github.com/advisories/GHSA-447r-wph3-92pm
Why is it still resolving to 8.0.0 when dotnet --version gives me 8.0.303 which according to The release notes for 8.0.7 (sdk 8.0.303)
includes fixes for both vulnerabilities?
What am I doing wrong? What am i (still :'( ) not understanding about .NET dependencies??!
Side note, we do use a global.json but with rollForward set to latestMinor
Maybe this is just a tooling issue: Possibly related Issue on GitHub?
I think you are tricked by the fact that 8.0.0 here isn't the .net SDK version. Ie. it isn't supposed to be 8.0.303.
If you haven't already, take a look here: https://www.nuget.org/packages/System.Formats.Asn1/8.0.1
To mitigate this you could add the package dependency explicitly. I would also add a comment explaining why it is there, as a reminder to remove it when possible.
<!-- System.Formats.Asn1 is added to mitigate vulnerability. -->
<!-- Remove as soon as Microsoft.EntityFrameworkCore.SqlServer no longer depends on vulnerable version -->
<PackageReference Include="System.Formats.Asn1" Version="8.0.1" />