Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No way to detect vulnerabilities in .NET Tool packages since dependencies are not listed #13916

Open
mareek opened this issue Nov 11, 2024 · 4 comments
Open

No way to detect vulnerabilities in .NET Tool packages since dependencies are not listed #13916

mareek opened this issue Nov 11, 2024 · 4 comments
Labels
Area:PackageDefinition Area:RestoreTool V1/V2 tool restore Partner:DotNet Priority:2 Issues for the current backlog. Product:dotnet.exe Type:Bug

Comments

@mareek
Copy link

mareek commented Nov 11, 2024
edited
Loading

NuGet Product Used

dotnet.exe

Product Version

8.0.403

Worked before?

I don't think that it has worked before as no .NET Tool seems to have dependency on nuget.org

Impact

It bothers me. A fix would be nice

Repro Steps & Context

  1. Create a new .NET Console project
  2. Add a reference to System.Text.Json
  3. Add a PackageId element to the csproj. The csproj should look like this :
<Project Sdk="Microsoft.NET.Sdk">
	<PropertyGroup>
		<OutputType>Exe</OutputType>
		<TargetFramework>net8.0</TargetFramework>
		<ImplicitUsings>enable</ImplicitUsings>

		<PackageId>HelloTool</PackageId>
	</PropertyGroup>

	<ItemGroup>
		<PackageReference Include="System.Text.Json" Version="8.0.5" />
	</ItemGroup>
</Project>
  1. Run dotnet pack

The resulting .nupkg list System.Text.Json as a dependecy

  1. Add <PackAsTool>true</PackAsTool> to <PropertyGroup> element in the .csproj. The csproj should look like this :
<Project Sdk="Microsoft.NET.Sdk">
	<PropertyGroup>
		<OutputType>Exe</OutputType>
		<TargetFramework>net8.0</TargetFramework>
		<ImplicitUsings>enable</ImplicitUsings>

		<PackageId>HelloTool</PackageId>
                <PackAsTool>true</PackAsTool>
	</PropertyGroup>

	<ItemGroup>
		<PackageReference Include="System.Text.Json" Version="8.0.5" />
	</ItemGroup>
</Project>
  1. Run dotnet pack

The resulting .nupkg doesn't contain any dependecy

Verbose Logs

No response
@jebriede
Copy link
Contributor

Thanks for the detailed repro. I was able to reproduce the issue as described.

@zivkan
Copy link
Member

zivkan commented Nov 14, 2024

This is by design. Tool packages are self-contained.

I feel like this issue is likely an XY-Problem. @mareek, what problem do you believe tool packages having dependencies will solve?

@zivkan zivkan added the WaitingForCustomer Applied when a NuGet triage person needs more info from the OP label Nov 14, 2024
@mareek
Copy link
Author

mareek commented Nov 16, 2024

At my company we have a policy to periodically check the nuget packages we use and their dependencies for security vulnerabilities. We wanted to extend that policy to the .NET Tools we use but we discovered that their dependencies are not listed.

Having the list of dependencies of .NET Tools would allow us to scan for security vulnerabilities

@microsoft-github-policy-service microsoft-github-policy-service bot added WaitingForClientTeam Customer replied, needs attention from client team. Do not apply this label manually. and removed WaitingForCustomer Applied when a NuGet triage person needs more info from the OP labels Nov 16, 2024
@jeffkl jeffkl added Triage:NeedsTriageDiscussion and removed WaitingForClientTeam Customer replied, needs attention from client team. Do not apply this label manually. labels Nov 25, 2024
@nkolev92 nkolev92 changed the title Dependencies are not listed .NET Tool packages No way to detect vulnerabilities in .NET Tool packages since dependencies are not listed Nov 25, 2024
@nkolev92
Copy link
Member

The long term solution here is SBOMs.
We'll track this as part of this epic: #12497.

@nkolev92 nkolev92 added the Priority:2 Issues for the current backlog. label Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area:PackageDefinition Area:RestoreTool V1/V2 tool restore Partner:DotNet Priority:2 Issues for the current backlog. Product:dotnet.exe Type:Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mareek @nkolev92 @zivkan @jebriede @jeffkl