Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NET6 CVE-2019-0980 CVE-2019-0981 - possible bug in .deps.json trans deps resolution #2706

Closed
jkone27 opened this issue Aug 15, 2022 · 44 comments
Closed

NET6 CVE-2019-0980 CVE-2019-0981 - possible bug in .deps.json trans deps resolution #2706

jkone27 opened this issue Aug 15, 2022 · 44 comments
Assignees
@DmitriyLewen
Labels
triage/support Indicates an issue that is a support question.

Comments

@jkone27
Copy link

jkone27 commented Aug 15, 2022

Hi,

we are running NET6 images , but we get this 2019 vulnerability reported when running our trivy scans.

is this actually expected or could it be a false positive?

atm we added

CVE-2019-0980
CVE-2019-0981

but we cannot detect the source of the vulnerability after we updated all our packages

System.Private.Uri │ CVE-2019-0980 │ HIGH     │ 4.3.0             │ 4.3.2

i am not sure we actually use this package, i see it not appearing at all after running

dotnet build
and then
dotnet publish
and checking the .deps.json file

i think the recently introduced support for .deps.json might be buggy?

image
@jkone27 jkone27 added the triage/support Indicates an issue that is a support question. label Aug 15, 2022
@jkone27
Copy link
Author

jkone27 commented Aug 15, 2022 

dotnet list package --include-transitive 

   > System.Numerics.Vectors                                                            4.5.0   
   > System.ObjectModel                                                                 4.3.0   
   > System.Private.DataContractSerialization                                           4.3.0   
   > System.Private.Uri                                                                 4.3.2   
   > System.Reflection                                                                  4.3.0   
   > System.Reflection.Emit                                                             4.3.0   
   > System.Reflection.Emit.ILGeneration                                                4.3.0

so seems we already run the latest System.Private.Uri: 4.3.2, so it's kind of weird.

coudl you provide a trivy switch by selecting e.g. only NET6 ? maybe some scans are running for other deployments target that we dont run in production?

@JoostvdB94
Copy link

We have the same issue. Is there a way to exclude all packages that use the installed runtime (and thus are not really packages)?

@jkone27
Copy link
Author

jkone27 commented Sep 13, 2022

pls if you also experience a similar issue add a 👍 on top!

@plaisted
Copy link

plaisted commented Oct 1, 2022

I agree, the method of scanning deps.json for vulnerabilities is not valid, or at least needs some tweaking. We're using the latest versions of System.Private.Uri included with .net 6 but aqua is flagging these containers as vulnerable:

/app $ cat <redacted>.deps.json | grep Uri
          "System.Private.Uri": "4.3.0"
      "runtime.unix.System.Private.Uri/4.3.0": {
          "System.Private.Uri": "4.3.0",
      "System.Private.Uri/4.3.0": {
          "runtime.unix.System.Private.Uri": "4.3.0"
    "runtime.unix.System.Private.Uri/4.3.0": {
    "System.Private.Uri/4.3.0": {

/app $ find / -name "*Uri*"
/usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.9/System.Private.Uri.dll

/app $ exiftool /usr/share/dotnet/shared/Microsoft.NETCore.App/6.0.9/System.Private.Uri.dll | grep -w Version
ExifTool Version Number         : 12.40
Linker Version                  : 11.0
OS Version                      : 4.0
Image Version                   : 0.0
Subsystem Version               : 4.0
File Version Number             : 6.0.922.41905
Product Version Number          : 0.0.0.0
File Version                    : 6.0.922.41905
Product Version                 : 6.0.9-servicing.22419.5+163a63591cf9e9b682063cf3995948c2b885a042
Assembly Version                : 6.0.0.0

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Nov 3, 2022
edited
Loading

Hello @jkone27 , @JoostvdB94
Thanks for your reports!

@jkone27 i looked your screen shoot - if i understand correctly - this *.deps.json file doesn't contain System.Private.Uri, right?
This is very strange... Can you use --format json --list-all-pkgs flags and scan again?
You can see filepath in Target field. e.g.:

trivy -d image -f json --list-all-pkgs -o result.json mcr.microsoft.com/dotnet/sdk
...
    {
      "Target": "usr/share/dotnet/sdk/6.0.402/Microsoft.TestPlatform.PlatformAbstractions.deps.json",
      "Class": "lang-pkgs",
      "Type": "dotnet-core",
      "Packages": [
        {
          "Name": "Microsoft.CodeAnalysis.PublicApiAnalyzers",
          "Version": "3.3.4-beta1.21554.2",
          "Layer": {
            "DiffID": "sha256:299937ab7d353b110721d6c2a7a0ea9943290e18a6899aaf43f197458e1785f9"
          }
        },
...

Perhaps another *deps.json file contains System.Private.Uri.

@plaisted your <redacted>.deps.json contains "System.Private.Uri": "4.3.0". if i understand correctly - it is not lastest version(https://www.nuget.org/packages/System.Private.Uri).
CVE-2019-0980 and CVE-2019-0981have fixed version == "4.3.2".
It looks like Trivy works correctly.

Tell me if i am wrong (I don't write in c# and I might be missing something)
I also tried to find information about changes in *deps.json files in NET 6, but couldn't find it.
Please tell me if there are differences in deps.json for NET 5 and NET 6.

Best Regards, Dmitiry

@plaisted
Copy link

plaisted commented Nov 3, 2022

@DmitriyLewen
My example clearly shows that the container is using version 6.0.922.41905 of System.Private.Uri not 4.3.0. Just because a version is in the .deps.json does not mean it the version actually in use. The *.deps.json method used by trivy may work for directly referenced packages but can't be used universally for everything in the *.deps.json. I am not familiar enough to suggest how this should work but the existing approach is definitely incorrect.

@pmuzyka-travix
Copy link

@DmitriyLewen - @jkone27 's situation is actually quite simillar to what @plaisted described. In his code he already uses latest of version of System.Private.Uri not 4.3.0. The 4.3.0 is coming from .deps.json due to the transitive dependency.

+1 to what @plaisted wrote, it would possibly better if trivy did filter out results coming from .deps.json inclusion to return the results tied to directly referenced packages.

@DmitriyLewen
Copy link
Contributor

okay, thanks! i understand what do you meant.

But what confuses me is that the *deps.json file does not include System.Private.Uri 6.0.922.41905.
Looks like NET6 includes this package as system and doesn't include this package to *.deps.json.
If it is true:
I am not sure if NET6 overwrite system packages from other dependencies.
i mean:
NET6 contains System.Private.Uri 6.0.922.41905
examplePackage uses System.Private.Uri 4.3
in this case: i am not sure if System.Private.Uri from examplePackage will be overwritten to 6.0.922.41905.
If examplePackage will still use System.Private.Uri 4.3 then examplePackage is vulnerable, because the wrong System.Private.Uri 4.3 package is used.

@pmuzyka-travix @plaisted What do you think about this?

@plaisted
Copy link

plaisted commented Nov 7, 2022

@DmitriyLewen I don't know enough about the deps.json to suggest the best way to do this. You would need to get feedback from someone on the dotnet team.

A potential improvement to the current would be to check the if the file exists in the same folder as the deps.json file. That would let you know the file is being provided by the app instead of the runtime (although not foolproof as the loading behavior can be customized). I did experiment and published the same app using a self-contained deployment the assembly version of System.Private.Uri in the deps.json file was set to 6.0.0.0 and file version to 6.0.422.16404 so it appears that it will show the correct version if it is including it in the deployment. For assemblies the runtime is supposed to provide (non self-contained) it must put the lowest compatible version or something similar into the deps.json which is what is triggering the false positive from aqua.

I also noticed it tags a fileVersion to anything it includes under the targets section of the deps.json so that may be able to be used to filter out assemblies provided by the runtime (if no fileVersion given) and shouldn't be included in scans (assuming aqua validates the runtime version has no vulns).

@JoostvdB94
Copy link

There is an vulnerability reported by Microsoft (that is also discovered by Trivy) that explains how to detect if you need to update a transitive dependency:

https://github.com/advisories/GHSA-8g2p-5pqh-5jmc#:~:text=Discovering%20and%20fixing,the%20transitive%20dependency.

@DmitriyLewen
Copy link
Contributor

Thanks a look @JoostvdB94
I will check this.

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Nov 11, 2022
edited
Loading

Thanks @JoostvdB94 for this link.
I investigated this and i have some thoughts:
Perhaps your projects have multiple (more then one) dependencies with System.Private.Uri transitive dependency.
for example:
pkgA -> System.Private.Uri v4.3.0
pkgB -> System.Private.Uri v6.0.0
We think that NET 6 uses System.Private.Uri from pkgB but it uses lower version from pkgA (https://learn.microsoft.com/en-us/nuget/concepts/dependency-resolution#lowest-applicable-version).

@plaisted can i ask you to send me both of your test *.deps.json files?
Also can you enable lock file and send me both lock files?(https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-the-lock-file)
I want to explore these files. It will help me a lot.

@JoostvdB94
Copy link

JoostvdB94 commented Nov 11, 2022
edited
Loading

Hey @DmitriyLewen thank you for investigating this.

I enabled the lock file and did not find any reference to System.Private.Uri. I did however find out that, although my application targets net6.0, it resolved the Microsoft.NETCore.App to 1.1.2 in the lockfile.

"Microsoft.NETCore.App": {
    "type": "Transitive",
    "resolved": "1.1.2",
    "contentHash": "fcN0Ob6rjY7Zu0770cA5l9wRJvj7+ltJPPdryUidejkkhao+y2AYrtezBTlP9nCSFXLmYR9BtaknORT17x8reA==",
    "dependencies": {...}
}

Microsoft.NETCore.App=1.1.2 was a dependency of another package:

"JsonDiffPatch": {
    "type": "Transitive",
    "resolved": "2.0.61",
    "contentHash": "nZ4QtcU3jR+CBT69qcJBvCcWi5uKgPRrrvSMm4V8Z76ljJ/MFo1P55qXk/nQY0q0WC4v94m5qH4SDhovFfci+Q==",
    "dependencies": {
      "Microsoft.NETCore.App": "1.1.2",
      "Newtonsoft.Json": "10.0.3"
    }
},

When I build normally here is no System.Private.Uri.dll inside the output bin-folder. So I assume it uses the one that is installed globally on my machine.
However, when using a self-contained build (where all runtime dll's are included in the build result) I do see a System.Private.Uri file in the build output folder. That seems to be the 6.0.11 version.
image

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Nov 11, 2022
edited
Loading

hello @JoostvdB94
Thanks for your information

What about *.deps.json file?
Does it contain System.Private.Uri?
If yes, what version is used?

summary:

build type *deps.json contains System.Private.Uri lock file contains System.Private.Uri app folder contains System.Private.Uri.dll
normal + - -
self-contained + - +

Is this summary right?

@JoostvdB94
Copy link

That's correct. It appears multiple times (in a self contained build output)

I've tried to isolate the JSON structure that's relevant. These are all occurrences of the search (search term was Private.Uri)

{
    "targets": {
        ".NETCoreApp,Version=v6.0": {
            "runtime.any.System.Runtime/4.3.0": {
                "dependencies": {
                    "System.Private.Uri": "4.3.0"
                }
            },
            "runtime.unix.System.Private.Uri/4.3.0": {
                "dependencies": {
                    "runtime.native.System": "4.3.0"
                }
            },
            "runtime.unix.System.Runtime.Extensions/4.3.0": {
                "dependencies": {
                    "System.Private.Uri": "4.3.0",
                    "runtime.native.System": "4.3.0",
                    "runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2"
                }
            },
            "System.Private.Uri/4.3.0": {
                "dependencies": {
                    "Microsoft.NETCore.Platforms": "5.0.0",
                    "Microsoft.NETCore.Targets": "1.1.3",
                    "runtime.unix.System.Private.Uri": "4.3.0"
                }
            },
        },
        ".NETCoreApp,Version=v6.0/alpine-x64": {
            "runtimepack.Microsoft.NETCore.App.Runtime.linux-musl-x64/6.0.11": {
                "runtime": {
                    "System.Private.Uri.dll": {
                        "assemblyVersion": "6.0.0.0",
                        "fileVersion": "6.0.1122.52304"
                    }
                }
            },
            "runtime.any.System.Runtime/4.3.0": {
                "dependencies": {
                  "System.Private.Uri": "4.3.0"
                }
            },
            "runtime.unix.System.Private.Uri/4.3.0": {
                "dependencies": {
                  "runtime.native.System": "4.3.0"
                }
            },
            "runtime.unix.System.Runtime.Extensions/4.3.0": {
                "dependencies": {
                  "System.Private.Uri": "4.3.0",
                  "runtime.native.System": "4.3.0",
                  "runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2"
                }
            },
            "System.Private.Uri/4.3.0": {
                "dependencies": {
                  "Microsoft.NETCore.Platforms": "5.0.0",
                  "Microsoft.NETCore.Targets": "1.1.3",
                  "runtime.unix.System.Private.Uri": "4.3.0"
                }
            },  
        }
    },
    "libraries": {
        "runtime.unix.System.Private.Uri/4.3.0": {
            "type": "package",
            "serviceable": true,
            "sha512": "sha512-ooWzobr5RAq34r9uan1r/WPXJYG1XWy9KanrxNvEnBzbFdQbMG7Y3bVi4QxR7xZMNLOxLLTAyXvnSkfj5boZSg==",
            "path": "runtime.unix.system.private.uri/4.3.0",
            "hashPath": "runtime.unix.system.private.uri.4.3.0.nupkg.sha512"
        },
        "System.Private.Uri/4.3.0": {
            "type": "package",
            "serviceable": true,
            "sha512": "sha512-I4SwANiUGho1esj4V4oSlPllXjzCZDE+5XXso2P03LW2vOda2Enzh8DWOxwN6hnrJyp314c7KuVu31QYhRzOGg==",
            "path": "system.private.uri/4.3.0",
            "hashPath": "system.private.uri.4.3.0.nupkg.sha512"
          },
    }
}

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Nov 11, 2022
edited
Loading

Very strange that the lock file does not contain System.Private.Uri
It also doesn't have runtime.any.System.Runtime and runtime.unix.System.Runtime.Extensions?

UPD:
i installed dotnet add package runtime.unix.System.Runtime.Extensions --version 4.3.1 in my helloWorld project and lock file contains System.Private.Uri

UPD2:
I also see some pattern - perhaps the version from System.Private.Uri.dll is the NetCore version, not System.Private.Uri version.

@JoostvdB94
Copy link

The package.lock.json does contain "System.Runtime.Extensions": "4.3.0"
It does not contain runtime.any.System.Runtime or runtime.unix.System.Runtime.Extensions or System.Private.Uri

@JoostvdB94
Copy link

I also see some pattern - perhaps the version from System.Private.Uri.dll is the NetCore version, not System.Private.Uri version.

I believe that is true. System.Private.Uri is part of the NetCore runtime (thus the same version as NetCore?)

@DmitriyLewen
Copy link
Contributor

The package.lock.json does contain "System.Runtime.Extensions": "4.3.0"
It does not contain runtime.any.System.Runtime or runtime.unix.System.Runtime.Extensions or System.Private.Uri

Hm...
NET creates *.dll files (for these dependencies), so App uses these files.
But lock file doesn't have these dependencies, which means App does not use them.
It doesn't make sense... or we're missing something.

@JoostvdB94
Copy link

JoostvdB94 commented Nov 11, 2022
edited
Loading

I think the lock file only specifies which packages it uses. Technically, the System.Private.Uri is not a package, as it is part of the dotnet runtime. That is why the .dll is present in self-contained builds, where the runtime does not need to be installed on the system that the app is running on, but the dll is missing in regular builds where the runtime needs to be installed on the system running the app.

In my opinion, we should treat both separately:

  • Scan for vulnerabilities in packages
  • Scan for vulnerabilities in the targeted framework version

The question then is: How would we separate those 2 checks?

@JoostvdB94
Copy link

The question then is: How would we separate those 2 checks?

As @plaisted mentioned: Maybe the solution to this is to indeed scan versions based on files included. This would work for both self-contained builds and the packages-only for regular builds:

I also noticed it tags a fileVersion to anything it includes under the targets section of the deps.json so that may be able to be used to filter out assemblies provided by the runtime (if no fileVersion given) and shouldn't be included in scans (assuming aqua validates the runtime version has no vulns).

For regular builds, we would need to check the files without a fileversion in order to include the vulnerabilities present in the runtime

@plaisted
Copy link

plaisted commented Nov 11, 2022
edited
Loading

Very strange that the lock file does not contain System.Private.Uri It also doesn't have runtime.any.System.Runtime and runtime.unix.System.Runtime.Extensions?

UPD: i installed dotnet add package runtime.unix.System.Runtime.Extensions --version 4.3.1 in my helloWorld project and lock file contains System.Private.Uri

UPD2: I also see some pattern - perhaps the version from System.Private.Uri.dll is the NetCore version, not System.Private.Uri version.

  1. The lock file is for direct / transitive package dependencies. System.Private.Uri is part of the runtime not a direct / transitive dependency. It does not have to be referenced in a project to be used. edit: it appears that this is incorrect and the lock file does include the runtime packages under some circumstances, see @DmitriyLewen comments below

  2. You shouldn't add those packages (including System.Private.Uri) to a project. Going to nuget we see the description of the package is Internal implementation package not meant for direct consumption. Please do not reference directly. Provides implementation of System.Uri.

  3. The core of the issue is the .deps.json does not universally tell you what version is in the container or what version will be used when the app is executed but trivy is treating it that way. dotnet uses a combination of the .deps.json and what assemblies are available to determine what is actually used. You can validate this by modifying values in the .deps.json to non-existent versions (or even deleting the file) and the app will usually run fine. The current behavior is to add in version 4.3.0 to the deps.json for the dependencies included by the dotnet runtime for --self-contained false published apps but I don't see that documented anywhere and may change. As I mentioned before an improvement would be to only look at data in the deps.json that has a fileVersion but I wasn't able to find documentation on when / why that is provided so may change as well.

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Nov 14, 2022
edited
Loading

Scan for vulnerabilities in the targeted framework version

I am not sure that is possible, because GitHub Advisory database uses package version(not framework version) in advisories.
e.g.
System.Private.Uri for CVE-2019-0980
Microsoft.Data.SqlClient and System.Data.SqlClient for CVE-2022-41064

As I mentioned before an improvement would be to only look at data in the deps.json that has a fileVersion but I wasn't able to find documentation on when / why that is provided so may change as well.

It looks like this is only possible way.
I will create test PR with these changes.

I have installed several popular nuget packages, but my *deps.json file does not contain system/runtime packages.
@JoostvdB94 @plaisted If you have ability, can you play with your projects and try to find package that adds System.Private.Uri.

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Nov 14, 2022
edited
Loading

I'm starting to work with the changes and found a problem:
we will skip some of the dependencies from the libraries field.
This is bad - because users will ask: why Nuget includes these dependencies, but Trivy does not include them.
Also dependency name may not be the same as the name of the dll
e.g.

 "runtimepack.Microsoft.NETCore.App.Runtime.linux-musl-x64/6.0.11": {
                "runtime": {
                    "System.Private.Uri.dll": {
                        "assemblyVersion": "6.0.0.0",
                        "fileVersion": "6.0.1122.52304"
                    }
                }
            },

Or there are 2 dlls:

"Google.Apis.Auth/1.48.0": {
        "dependencies": {
          "Google.Apis": "1.48.0",
          "Google.Apis.Core": "1.48.0"
        },
        "runtime": {
          "lib/netstandard2.0/Google.Apis.Auth.PlatformServices.dll": {
            "assemblyVersion": "1.48.0.0",
            "fileVersion": "1.48.0.0"
          },
          "lib/netstandard2.0/Google.Apis.Auth.dll": {
            "assemblyVersion": "1.48.0.0",
            "fileVersion": "1.48.0.0"
          }
        }
      },

@JoostvdB94
Copy link

JoostvdB94 commented Nov 14, 2022
edited
Loading

Scan for vulnerabilities in the targeted framework version

I am not sure that is possible, because GitHub Advisory database uses package version(not framework version) in advisories.

That nuget package is not meant to be installed separately (https://www.nuget.org/packages/System.Private.Uri/#:~:text=Please%20do%20not%20reference%20directly)
Microsoft itself recommends installing a security update (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0980). This security update is not a single package, but the security update that applies to the runtime (https://catalog.update.microsoft.com/Search.aspx?q=KB4495618). So I still believe these packages are part of the runtime.

Why else is the only version that can be found (in the entire docker image) the runtime version that is located outside of the app installation folder? And how could a program actively use an older version if it is not present?

@JoostvdB94
Copy link

I have installed several popular nuget packages, but my *deps.json file does not contain system/runtime packages. @JoostvdB94 @plaisted If you have ability, can you play with your projects and try to find package that adds System.Private.Uri.

The package that causes it in my case targets netcore1.1: https://www.nuget.org/packages/JsonDiffPatch

@DmitriyLewen
Copy link
Contributor

@JoostvdB94
Perhaps i confused you.
I meant that there is no information in the GitHub database that the framework has vulnerabilities (only in the description, but there are no rules for the description and we cannot parse it).
Therefore, we cannot obtain information about vulnerabilities for frameworks.

@DmitriyLewen
Copy link
Contributor

The package that causes it in my case targets netcore1.1: https://www.nuget.org/packages/JsonDiffPatch

thanks for this!
I played with this package.
I think there is problem with dependencies of this package.
I installed JsonDiffPatch v2.0.61. After that my lock file contains System.Private.Uri and runtime packages.

...
"runtime.unix.System.Diagnostics.Debug": {
        "type": "Transitive",
        "resolved": "4.3.0",
        "contentHash": "WV8KLRHWVUVUDduFnvGMHt0FsEt2wK6xPl1EgDKlaMx2KnZ43A/O0GzP8wIuvAC7mq4T9V1mm90r+PXkL9FPdQ==",
        "dependencies": {
          "runtime.native.System": "4.3.0"
        }
      },
...
"System.Private.Uri": {
        "type": "Transitive",
        "resolved": "4.3.0",
        "contentHash": "I4SwANiUGho1esj4V4oSlPllXjzCZDE+5XXso2P03LW2vOda2Enzh8DWOxwN6hnrJyp314c7KuVu31QYhRzOGg==",
        "dependencies": {
          "Microsoft.NETCore.Platforms": "1.1.0",
          "Microsoft.NETCore.Targets": "1.1.0",
          "runtime.unix.System.Private.Uri": "4.3.0"
        }
      },
...

As we said this is wrong logic.

@plaisted
Copy link

As we said this is wrong logic.

I updated my statement to reflect your findings. Those must get added as transitive under some circumstances (maybe referencing .net framework / old net core packages?)

@DmitriyLewen
Copy link
Contributor

maybe referencing .net framework / old net core packages?

But this is still wrong way NET works:
Why does lock file and dll (when using --self-contained true) contain different dependency versions.

➜ cat packages.lock.json | grep '"System.Private.Uri": {' -A 9
      "System.Private.Uri": {
        "type": "Transitive",
        "resolved": "4.3.0",
        "contentHash": "I4SwANiUGho1esj4V4oSlPllXjzCZDE+5XXso2P03LW2vOda2Enzh8DWOxwN6hnrJyp314c7KuVu31QYhRzOGg==",
        "dependencies": {
          "Microsoft.NETCore.Platforms": "1.1.0",
          "Microsoft.NETCore.Targets": "1.1.0",
          "runtime.unix.System.Private.Uri": "4.3.0"
        }
      },

➜ exiftool ./bin/release/net6.0/ubuntu.22.04-x64/System.Private.Uri.dll | grep Version
ExifTool Version Number         : 12.40
Linker Version                  : 11.0
OS Version                      : 4.0
Image Version                   : 0.0
Subsystem Version               : 4.0
File Version Number             : 6.0.1022.47605
Product Version Number          : 0.0.0.0
File Version                    : 6.0.1022.47605
Product Version                 : 6.0.10-servicing.22476.5+5a400c212afdf8e675c9a1d38442e6d2f19f7b74
Assembly Version                : 6.0.0.0

@JoostvdB94
Copy link

That is strange indeed and may be a bug in dotnet. However, specifying the minimal required package version is a "good practice" many library maintainers use. Maybe this behaviour is the result of the dependency resolution process nuget uses?
(as mentioned by @DmitriyLewen: https://learn.microsoft.com/en-us/nuget/concepts/dependency-resolution#lowest-applicable-version)

I would also recommend against using the lockfile for scanning, as generating a lock file is an optional (and disabled by default) option.

@DmitriyLewen
Copy link
Contributor

I checked System.Private.Uri package again and last update == 5/14/2019

However, specifying the minimal required package version is a "good practice" many library maintainers use

Perhaps NET started including System.Private.Uri after this date.
JsonDiffPatch or its transitive dependency uses old System.Private.Uri 4.3.0.
=> NET uses System.Private.Uri 4.3.0 in deps.json.

But that doesn't explain why the dll has a different version (6.0.1022.47605)

@jkone27
Copy link
Author

jkone27 commented Nov 23, 2022
edited
Loading

big question, why doesnt trivy use just dotnet for checking package vulnerabilities, isn't dotnet commands based on framework more reliable?

dotnet list package --vulnerable --include-transitive

it looks like this gives more results or different results than trivy scans? shoudln't they give the same result all times

frameworks can be found from .csproj file but maybe it could also be passed as a parameter if that's easier?
dotnet-sdk images to run that command, or maybe version could be passed by mantainers on a scan like --framework=NET6 https://hub.docker.com/_/microsoft-dotnet-sdk/.

@plaisted
Copy link

big question, why doesnt trivy use just dotnet for checking package vulnerabilities, isn't dotnet commands based on framework more reliable?

Trivy is used to scan containers that primarily contain already published applications. dotnet list package only works on a project / solution not the published artifacts.

@DmitriyLewen
Copy link
Contributor

Trivy doesn't run commands. We only parse individual files (in this case *.deps.json).

dotnet commands based on framework more reliable?

This option is not available at the moment.

@github-actions
Copy link

github-actions bot commented Feb 8, 2023

This issue is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Feb 8, 2023
@ben-page
Copy link

Bump. Until Trivy understands how .NET resolves transitive dependencies, Trivy is unusable for .NET projects.

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Feb 26, 2023
@DmitriyLewen
Copy link
Contributor

Hello @ben-page

Maybe you can send some examples to help us understand how .Net stores dependencies?

@cspwizard
Copy link

Hi! Have a similar issue:
Trivy reports

System.Text.Encodings.Web │ CVE-2021-26701 │ CRITICAL │ 4.5.0             │ 5.0.1, 4.7.2, 4.5.1 │ dotnet: System.Text.Encodings.Web Remote Code Execution │ https://avd.aquasec.com/nvd/cve-2021-26701

However this library version is not used. It appears in dependencies, but there is another one (6.0) actually installed and used.

"System.Text.Encodings.Web": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "Vg8eB5Tawm1IFqj4TVK1czJX89rhFxJo9ELqc/Eiq0eXy13RK00eubyU6TJE6y+GQXjyV5gSfiewDUZjQgSE0w==",
      "dependencies": {
        "System.Runtime.CompilerServices.Unsafe": "6.0.0"
      }
    }

So this looks like a bug in the trivy.

Scan is running in trivy docker container:

docker run --pull=always -v $HOME/.trivy/cache:/root/.cache/ -v "$HOME/sources/project:/src" aquasec/trivy fs --exit-code 1 --severity CRITICAL /src
packages.lock.json 
{
"version": 1,
"dependencies": {
  "net7.0": {
    "ApacheThrift": {
      "type": "Direct",
      "requested": "[0.18.1, )",
      "resolved": "0.18.1",
      "contentHash": "bFZOkBgcFx6lf1hTy5s3ld/C0EoQUnod0quX9ZKe8W7fIUHmNclPxfgSNkM0WTJxa9ZIsNw7XIgP/cGVkOfFmg==",
      "dependencies": {
        "Microsoft.AspNetCore.Http.Abstractions": "2.2.0",
        "Microsoft.Extensions.Logging": "6.0.0",
        "Microsoft.Extensions.Logging.Console": "6.0.0",
        "Microsoft.Extensions.Logging.Debug": "6.0.0",
        "System.IO.Pipes": "4.3.0",
        "System.IO.Pipes.AccessControl": "5.0.0",
        "System.Net.Http.WinHttpHandler": "6.0.0",
        "System.Net.NameResolution": "4.3.0",
        "System.Net.Requests": "4.3.0",
        "System.Net.Security": "4.3.2",
        "System.Threading.Tasks.Extensions": "4.5.4"
      }
    },
    "Castle.Core": {
      "type": "Direct",
      "requested": "[5.1.1, )",
      "resolved": "5.1.1",
      "contentHash": "rpYtIczkzGpf+EkZgDr9CClTdemhsrwA/W5hMoPjLkRFnXzH44zDLoovXeKtmxb1ykXK9aJVODSpiJml8CTw2g==",
      "dependencies": {
        "System.Diagnostics.EventLog": "6.0.0"
      }
    },
    "Castle.Core.AsyncInterceptor": {
      "type": "Direct",
      "requested": "[2.1.0, )",
      "resolved": "2.1.0",
      "contentHash": "1vOovJnbjjoCFbPPNLvLTeiqJwoA+aRXkhXcgCQY0pi1eejGqCegJwl58pIIPH/uKDfUXnPIo7aqSrcXEyEH1Q==",
      "dependencies": {
        "Castle.Core": "4.4.0"
      }
    },
    "Nerdbank.Streams": {
      "type": "Direct",
      "requested": "[2.9.112, )",
      "resolved": "2.9.112",
      "contentHash": "SEEoiRbeDZ/FoPmAEgVWIngdM1PCqeZd61P5P/7jVn16k/ObjTxhiMozajlYoQftL/yYTYkH/MqaE1XGMssazw==",
      "dependencies": {
        "Microsoft.Bcl.AsyncInterfaces": "6.0.0",
        "Microsoft.VisualStudio.Threading": "17.1.46",
        "Microsoft.VisualStudio.Validation": "17.0.53",
        "System.IO.Pipelines": "6.0.3",
        "System.Runtime.CompilerServices.Unsafe": "6.0.0"
      }
    },
    "OpenTracing": {
      "type": "Direct",
      "requested": "[0.12.1, )",
      "resolved": "0.12.1",
      "contentHash": "8i/Vnx/lbWzqqJ6J5lofguT4wBS99rfqKujWrFrTGAclQBZ5h1CgBlzGOTqsNjmMsxSTLpC+Ns6/f1RB0c4O/g=="
    },
    "Polly": {
      "type": "Direct",
      "requested": "[7.2.3, )",
      "resolved": "7.2.3",
      "contentHash": "DeCY0OFbNdNxsjntr1gTXHJ5pKUwYzp04Er2LLeN3g6pWhffsGuKVfMBLe1lw7x76HrPkLxKEFxBlpRxS2nDEQ=="
    },
    "prometheus-net.AspNetCore": {
      "type": "Direct",
      "requested": "[8.0.0, )",
      "resolved": "8.0.0",
      "contentHash": "XNeeTpq9DMWOQC9t4yu4sYRE7WqRn9CrHi916gV8n4Zwe5kzFqGt5H2FnIm7LLGw2edndU2AtdlYs9bJ2AmVuQ==",
      "dependencies": {
        "prometheus-net": "8.0.0"
      }
    },
    "System.Net.Http": {
      "type": "Direct",
      "requested": "[4.3.4, )",
      "resolved": "4.3.4",
      "contentHash": "aOa2d51SEbmM+H+Csw7yJOuNZoHkrP2XnAurye5HWYgGVVU54YZDvsLUYRv6h18X3sPnjNCANmN7ZhIPiqMcjA==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.1",
        "System.Collections": "4.3.0",
        "System.Diagnostics.Debug": "4.3.0",
        "System.Diagnostics.DiagnosticSource": "4.3.0",
        "System.Diagnostics.Tracing": "4.3.0",
        "System.Globalization": "4.3.0",
        "System.Globalization.Extensions": "4.3.0",
        "System.IO": "4.3.0",
        "System.IO.FileSystem": "4.3.0",
        "System.Net.Primitives": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Runtime.Handles": "4.3.0",
        "System.Runtime.InteropServices": "4.3.0",
        "System.Security.Cryptography.Algorithms": "4.3.0",
        "System.Security.Cryptography.Encoding": "4.3.0",
        "System.Security.Cryptography.OpenSsl": "4.3.0",
        "System.Security.Cryptography.Primitives": "4.3.0",
        "System.Security.Cryptography.X509Certificates": "4.3.0",
        "System.Text.Encoding": "4.3.0",
        "System.Threading": "4.3.0",
        "System.Threading.Tasks": "4.3.0",
        "runtime.native.System": "4.3.0",
        "runtime.native.System.Net.Http": "4.3.0",
        "runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2"
      }
    },
    "Microsoft.AspNetCore.Http.Abstractions": {
      "type": "Transitive",
      "resolved": "2.2.0",
      "contentHash": "Nxs7Z1q3f1STfLYKJSVXCs1iBl+Ya6E8o4Oy1bCxJ/rNI44E/0f6tbsrVqAWfB7jlnJfyaAtIalBVxPKUPQb4Q==",
      "dependencies": {
        "Microsoft.AspNetCore.Http.Features": "2.2.0",
        "System.Text.Encodings.Web": "4.5.0"
      }
    },
    "Microsoft.AspNetCore.Http.Features": {
      "type": "Transitive",
      "resolved": "2.2.0",
      "contentHash": "ziFz5zH8f33En4dX81LW84I6XrYXKf9jg6aM39cM+LffN9KJahViKZ61dGMSO2gd3e+qe5yBRwsesvyqlZaSMg==",
      "dependencies": {
        "Microsoft.Extensions.Primitives": "2.2.0"
      }
    },
    "Microsoft.Bcl.AsyncInterfaces": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "UcSjPsst+DfAdJGVDsu346FX0ci0ah+lw3WRtn18NUwEqRt70HaOQ7lI72vy3+1LxtqI3T5GWwV39rQSrCzAeg=="
    },
    "Microsoft.Extensions.Configuration": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "tq2wXyh3fL17EMF2bXgRhU7JrbO3on93MRKYxzz4JzzvuGSA1l0W3GI9/tl8EO89TH+KWEymP7bcFway6z9fXg==",
      "dependencies": {
        "Microsoft.Extensions.Configuration.Abstractions": "6.0.0",
        "Microsoft.Extensions.Primitives": "6.0.0"
      }
    },
    "Microsoft.Extensions.Configuration.Abstractions": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "qWzV9o+ZRWq+pGm+1dF+R7qTgTYoXvbyowRoBxQJGfqTpqDun2eteerjRQhq5PQ/14S+lqto3Ft4gYaRyl4rdQ==",
      "dependencies": {
        "Microsoft.Extensions.Primitives": "6.0.0"
      }
    },
    "Microsoft.Extensions.Configuration.Binder": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "b3ErKzND8LIC7o08QAVlKfaEIYEvLJbtmVbFZVBRXeu9YkKfSSzLZfR1SUfQPBIy9mKLhEtJgGYImkcMNaKE0A==",
      "dependencies": {
        "Microsoft.Extensions.Configuration.Abstractions": "6.0.0"
      }
    },
    "Microsoft.Extensions.DependencyInjection": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "k6PWQMuoBDGGHOQTtyois2u4AwyVcIwL2LaSLlTZQm2CYcJ1pxbt6jfAnpWmzENA/wfrYRI/X9DTLoUkE4AsLw==",
      "dependencies": {
        "Microsoft.Extensions.DependencyInjection.Abstractions": "6.0.0",
        "System.Runtime.CompilerServices.Unsafe": "6.0.0"
      }
    },
    "Microsoft.Extensions.DependencyInjection.Abstractions": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "xlzi2IYREJH3/m6+lUrQlujzX8wDitm4QGnUu6kUXTQAWPuZY8i+ticFJbzfqaetLA6KR/rO6Ew/HuYD+bxifg=="
    },
    "Microsoft.Extensions.Http": {
      "type": "Transitive",
      "resolved": "3.1.0",
      "contentHash": "DLigdcV0nYaT6/ly0rnfP80BnXq8NNd/h8/SkfY39uio7Bd9LauVntp6RcRh1Kj23N+uf80GgL7Win6P3BCtoQ==",
      "dependencies": {
        "Microsoft.Extensions.DependencyInjection.Abstractions": "3.1.0",
        "Microsoft.Extensions.Logging": "3.1.0",
        "Microsoft.Extensions.Options": "3.1.0"
      }
    },
    "Microsoft.Extensions.Logging": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "eIbyj40QDg1NDz0HBW0S5f3wrLVnKWnDJ/JtZ+yJDFnDj90VoPuoPmFkeaXrtu+0cKm5GRAwoDf+dBWXK0TUdg==",
      "dependencies": {
        "Microsoft.Extensions.DependencyInjection": "6.0.0",
        "Microsoft.Extensions.DependencyInjection.Abstractions": "6.0.0",
        "Microsoft.Extensions.Logging.Abstractions": "6.0.0",
        "Microsoft.Extensions.Options": "6.0.0",
        "System.Diagnostics.DiagnosticSource": "6.0.0"
      }
    },
    "Microsoft.Extensions.Logging.Abstractions": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "/HggWBbTwy8TgebGSX5DBZ24ndhzi93sHUBDvP1IxbZD7FDokYzdAr6+vbWGjw2XAfR2EJ1sfKUotpjHnFWPxA=="
    },
    "Microsoft.Extensions.Logging.Configuration": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "ZDskjagmBAbv+K8rYW9VhjPplhbOE63xUD0DiuydZJwt15dRyoqicYklLd86zzeintUc7AptDkHn+YhhYkYo8A==",
      "dependencies": {
        "Microsoft.Extensions.Configuration": "6.0.0",
        "Microsoft.Extensions.Configuration.Abstractions": "6.0.0",
        "Microsoft.Extensions.Configuration.Binder": "6.0.0",
        "Microsoft.Extensions.DependencyInjection.Abstractions": "6.0.0",
        "Microsoft.Extensions.Logging": "6.0.0",
        "Microsoft.Extensions.Logging.Abstractions": "6.0.0",
        "Microsoft.Extensions.Options": "6.0.0",
        "Microsoft.Extensions.Options.ConfigurationExtensions": "6.0.0"
      }
    },
    "Microsoft.Extensions.Logging.Console": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "gsqKzOEdsvq28QiXFxagmn1oRB9GeI5GgYCkoybZtQA0IUb7QPwf1WmN3AwJeNIsadTvIFQCiVK0OVIgKfOBGg==",
      "dependencies": {
        "Microsoft.Extensions.DependencyInjection.Abstractions": "6.0.0",
        "Microsoft.Extensions.Logging": "6.0.0",
        "Microsoft.Extensions.Logging.Abstractions": "6.0.0",
        "Microsoft.Extensions.Logging.Configuration": "6.0.0",
        "Microsoft.Extensions.Options": "6.0.0",
        "System.Text.Json": "6.0.0"
      }
    },
    "Microsoft.Extensions.Logging.Debug": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "M9g/JixseSZATJE9tcMn9uzoD4+DbSglivFqVx8YkRJ7VVPmnvCEbOZ0AAaxsL1EKyI4cz07DXOOJExxNsUOHw==",
      "dependencies": {
        "Microsoft.Extensions.DependencyInjection.Abstractions": "6.0.0",
        "Microsoft.Extensions.Logging": "6.0.0",
        "Microsoft.Extensions.Logging.Abstractions": "6.0.0"
      }
    },
    "Microsoft.Extensions.ObjectPool": {
      "type": "Transitive",
      "resolved": "7.0.0",
      "contentHash": "udvKco0sAVgYGTBnHUb0tY9JQzJ/nPDiv/8PIyz69wl1AibeCDZOLVVI+6156dPfHmJH7ws5oUJRiW4ZmAvuuA=="
    },
    "Microsoft.Extensions.Options": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "dzXN0+V1AyjOe2xcJ86Qbo233KHuLEY0njf/P2Kw8SfJU+d45HNS2ctJdnEnrWbM9Ye2eFgaC5Mj9otRMU6IsQ==",
      "dependencies": {
        "Microsoft.Extensions.DependencyInjection.Abstractions": "6.0.0",
        "Microsoft.Extensions.Primitives": "6.0.0"
      }
    },
    "Microsoft.Extensions.Options.ConfigurationExtensions": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "bXWINbTn0vC0FYc9GaQTISbxhQLAMrvtbuvD9N6JelEaIS/Pr62wUCinrq5bf1WRBGczt1v4wDhxFtVFNcMdUQ==",
      "dependencies": {
        "Microsoft.Extensions.Configuration.Abstractions": "6.0.0",
        "Microsoft.Extensions.Configuration.Binder": "6.0.0",
        "Microsoft.Extensions.DependencyInjection.Abstractions": "6.0.0",
        "Microsoft.Extensions.Options": "6.0.0",
        "Microsoft.Extensions.Primitives": "6.0.0"
      }
    },
    "Microsoft.Extensions.Primitives": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "9+PnzmQFfEFNR9J2aDTfJGGupShHjOuGw4VUv+JB044biSHrnmCIMD+mJHmb2H7YryrfBEXDurxQ47gJZdCKNQ==",
      "dependencies": {
        "System.Runtime.CompilerServices.Unsafe": "6.0.0"
      }
    },
    "Microsoft.NETCore.Platforms": {
      "type": "Transitive",
      "resolved": "5.0.0",
      "contentHash": "VyPlqzH2wavqquTcYpkIIAQ6WdenuKoFN0BdYBbCWsclXacSOHNQn66Gt4z5NBqEYW0FAPm5rlvki9ZiCij5xQ=="
    },
    "Microsoft.NETCore.Targets": {
      "type": "Transitive",
      "resolved": "1.1.0",
      "contentHash": "aOZA3BWfz9RXjpzt0sRJJMjAscAUm3Hoa4UWAfceV9UTYxgwZ1lZt5nO2myFf+/jetYQo4uTP7zS8sJY67BBxg=="
    },
    "Microsoft.VisualStudio.Threading": {
      "type": "Transitive",
      "resolved": "17.1.46",
      "contentHash": "05zhYyjY81Zizs5pqVr5MRm0ALOkYNseq0EnI/jec5H223suCs9BCZYziL2FnNMbNGMgynv0VtJfOVZpjszkpg==",
      "dependencies": {
        "Microsoft.Bcl.AsyncInterfaces": "6.0.0",
        "Microsoft.VisualStudio.Threading.Analyzers": "17.1.46",
        "Microsoft.VisualStudio.Validation": "17.0.43",
        "Microsoft.Win32.Registry": "5.0.0",
        "System.Threading.Tasks.Extensions": "4.5.4"
      }
    },
    "Microsoft.VisualStudio.Threading.Analyzers": {
      "type": "Transitive",
      "resolved": "17.1.46",
      "contentHash": "7pImoMcQaWZYAwu1aDBB8yBkvgad13yjrRHQ65pwHMX757vZ49OrNaEuRSLDu2PjZGonsTkQAJK8JK4W/wW4bw=="
    },
    "Microsoft.VisualStudio.Validation": {
      "type": "Transitive",
      "resolved": "17.0.53",
      "contentHash": "YUDb/V5JpiEGRXBut8fRy1rFqDRfl5XX3MgBaLsc0YVYpRy+pXb3pnzbceL1YMQxjrOiJPn5WZEpJNSxZvPdgg=="
    },
    "Microsoft.Win32.Primitives": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "9ZQKCWxH7Ijp9BfahvL2Zyf1cJIk8XYLF6Yjzr2yi0b2cOut/HQ31qf1ThHAgCc3WiZMdnWcfJCgN82/0UunxA==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Runtime": "4.3.0"
      }
    },
    "Microsoft.Win32.Registry": {
      "type": "Transitive",
      "resolved": "5.0.0",
      "contentHash": "dDoKi0PnDz31yAyETfRntsLArTlVAVzUzCIvvEDsDsucrl33Dl8pIJG06ePTJTI3tGpeyHS9Cq7Foc/s4EeKcg==",
      "dependencies": {
        "System.Security.AccessControl": "5.0.0",
        "System.Security.Principal.Windows": "5.0.0"
      }
    },
    "NLog": {
      "type": "Transitive",
      "resolved": "5.1.3",
      "contentHash": "rB8hwjBf1EZCfG5iPfsv3gPksLoJLr1cOrt7PBbJu6VpJgwYJchDzTUT1dhNDdPv0QakXJQJOhE59ErupcznQQ=="
    },
    "NLog.Extensions.Logging": {
      "type": "Transitive",
      "resolved": "5.2.3",
      "contentHash": "TB8zPGV2nVpvWq5C8zIVHPSmnzOHMrXppjsAwHcuJq1Ehs8sC0llnAv5Ysf5Lf/vew9amV/+01MohtRFSDzKdQ==",
      "dependencies": {
        "Microsoft.Extensions.Configuration.Abstractions": "6.0.0",
        "Microsoft.Extensions.Logging": "6.0.0",
        "NLog": "5.1.3"
      }
    },
    "NLog.Web.AspNetCore": {
      "type": "Transitive",
      "resolved": "5.2.3",
      "contentHash": "uP0KekbkswuMjo1dbaqu20TxH2Dc3ox2qJDIi837ob2Fq/BliZHuQY9nJdM3UArVrLrsl+xxsx0D6h8m3fOufg==",
      "dependencies": {
        "NLog.Extensions.Logging": "5.2.3"
      }
    },
    "prometheus-net": {
      "type": "Transitive",
      "resolved": "8.0.0",
      "contentHash": "tUz6ScbA4J193hT1xUxTXQuEAZj8b5YUUrdUVIEXb6yYOZZEvPzs4zqFqI2iJW6aLmldMEiUqCFq93EOLvqITA==",
      "dependencies": {
        "Microsoft.Extensions.Http": "3.1.0",
        "Microsoft.Extensions.ObjectPool": "7.0.0"
      }
    },
    "runtime.debian.8-x64.runtime.native.System.Security.Cryptography.OpenSsl": {
      "type": "Transitive",
      "resolved": "4.3.2",
      "contentHash": "7VSGO0URRKoMEAq0Sc9cRz8mb6zbyx/BZDEWhgPdzzpmFhkam3fJ1DAGWFXBI4nGlma+uPKpfuMQP5LXRnOH5g=="
    },
    "runtime.fedora.23-x64.runtime.native.System.Security.Cryptography.OpenSsl": {
      "type": "Transitive",
      "resolved": "4.3.2",
      "contentHash": "0oAaTAm6e2oVH+/Zttt0cuhGaePQYKII1dY8iaqP7CvOpVKgLybKRFvQjXR2LtxXOXTVPNv14j0ot8uV+HrUmw=="
    },
    "runtime.fedora.24-x64.runtime.native.System.Security.Cryptography.OpenSsl": {
      "type": "Transitive",
      "resolved": "4.3.2",
      "contentHash": "G24ibsCNi5Kbz0oXWynBoRgtGvsw5ZSVEWjv13/KiCAM8C6wz9zzcCniMeQFIkJ2tasjo2kXlvlBZhplL51kGg=="
    },
    "runtime.native.System": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "c/qWt2LieNZIj1jGnVNsE2Kl23Ya2aSTBuXMD6V7k9KWr6l16Tqdwq+hJScEpWER9753NWC8h96PaVNY5Ld7Jw==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0"
      }
    },
    "runtime.native.System.Net.Http": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "ZVuZJqnnegJhd2k/PtAbbIcZ3aZeITq3sj06oKfMBSfphW3HDmk/t4ObvbOk/JA/swGR0LNqMksAh/f7gpTROg==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0"
      }
    },
    "runtime.native.System.Net.Security": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "M2nN92ePS8BgQ2oi6Jj3PlTUzadYSIWLdZrHY1n1ZcW9o4wAQQ6W+aQ2lfq1ysZQfVCgDwY58alUdowrzezztg==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0"
      }
    },
    "runtime.native.System.Security.Cryptography.Apple": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "DloMk88juo0OuOWr56QG7MNchmafTLYWvABy36izkrLI5VledI0rq28KGs1i9wbpeT9NPQrx/wTf8U2vazqQ3Q==",
      "dependencies": {
        "runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.Apple": "4.3.0"
      }
    },
    "runtime.native.System.Security.Cryptography.OpenSsl": {
      "type": "Transitive",
      "resolved": "4.3.2",
      "contentHash": "QR1OwtwehHxSeQvZKXe+iSd+d3XZNkEcuWMFYa2i0aG1l+lR739HPicKMlTbJst3spmeekDVBUS7SeS26s4U/g==",
      "dependencies": {
        "runtime.debian.8-x64.runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2",
        "runtime.fedora.23-x64.runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2",
        "runtime.fedora.24-x64.runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2",
        "runtime.opensuse.13.2-x64.runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2",
        "runtime.opensuse.42.1-x64.runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2",
        "runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2",
        "runtime.rhel.7-x64.runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2",
        "runtime.ubuntu.14.04-x64.runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2",
        "runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2",
        "runtime.ubuntu.16.10-x64.runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2"
      }
    },
    "runtime.opensuse.13.2-x64.runtime.native.System.Security.Cryptography.OpenSsl": {
      "type": "Transitive",
      "resolved": "4.3.2",
      "contentHash": "I+GNKGg2xCHueRd1m9PzeEW7WLbNNLznmTuEi8/vZX71HudUbx1UTwlGkiwMri7JLl8hGaIAWnA/GONhu+LOyQ=="
    },
    "runtime.opensuse.42.1-x64.runtime.native.System.Security.Cryptography.OpenSsl": {
      "type": "Transitive",
      "resolved": "4.3.2",
      "contentHash": "1Z3TAq1ytS1IBRtPXJvEUZdVsfWfeNEhBkbiOCGEl9wwAfsjP2lz3ZFDx5tq8p60/EqbS0HItG5piHuB71RjoA=="
    },
    "runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.Apple": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "kVXCuMTrTlxq4XOOMAysuNwsXWpYeboGddNGpIgNSZmv1b6r/s/DPk0fYMB7Q5Qo4bY68o48jt4T4y5BVecbCQ=="
    },
    "runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.OpenSsl": {
      "type": "Transitive",
      "resolved": "4.3.2",
      "contentHash": "6mU/cVmmHtQiDXhnzUImxIcDL48GbTk+TsptXyJA+MIOG9LRjPoAQC/qBFB7X+UNyK86bmvGwC8t+M66wsYC8w=="
    },
    "runtime.rhel.7-x64.runtime.native.System.Security.Cryptography.OpenSsl": {
      "type": "Transitive",
      "resolved": "4.3.2",
      "contentHash": "vjwG0GGcTW/PPg6KVud8F9GLWYuAV1rrw1BKAqY0oh4jcUqg15oYF1+qkGR2x2ZHM4DQnWKQ7cJgYbfncz/lYg=="
    },
    "runtime.ubuntu.14.04-x64.runtime.native.System.Security.Cryptography.OpenSsl": {
      "type": "Transitive",
      "resolved": "4.3.2",
      "contentHash": "7KMFpTkHC/zoExs+PwP8jDCWcrK9H6L7soowT80CUx3e+nxP/AFnq0AQAW5W76z2WYbLAYCRyPfwYFG6zkvQRw=="
    },
    "runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl": {
      "type": "Transitive",
      "resolved": "4.3.2",
      "contentHash": "xrlmRCnKZJLHxyyLIqkZjNXqgxnKdZxfItrPkjI+6pkRo5lHX8YvSZlWrSI5AVwLMi4HbNWP7064hcAWeZKp5w=="
    },
    "runtime.ubuntu.16.10-x64.runtime.native.System.Security.Cryptography.OpenSsl": {
      "type": "Transitive",
      "resolved": "4.3.2",
      "contentHash": "leXiwfiIkW7Gmn7cgnNcdtNAU70SjmKW3jxGj1iKHOvdn0zRWsgv/l2OJUO5zdGdiv2VRFnAsxxhDgMzofPdWg=="
    },
    "System.Buffers": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "ratu44uTIHgeBeI0dE8DWvmXVBSo4u7ozRZZHOMmK/JPpYyo0dAfgSiHlpiObMQ5lEtEyIXA40sKRYg5J6A8uQ==",
      "dependencies": {
        "System.Diagnostics.Debug": "4.3.0",
        "System.Diagnostics.Tracing": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Threading": "4.3.0"
      }
    },
    "System.Collections": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "3Dcj85/TBdVpL5Zr+gEEBUuFe2icOnLalmEh9hfck1PTYbbyWuZgh4fmm2ysCLTrqLQw6t3TgTyJ+VLp+Qb+Lw==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Runtime": "4.3.0"
      }
    },
    "System.Collections.Concurrent": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "ztl69Xp0Y/UXCL+3v3tEU+lIy+bvjKNUmopn1wep/a291pVPK7dxBd6T7WnlQqRog+d1a/hSsgRsmFnIBKTPLQ==",
      "dependencies": {
        "System.Collections": "4.3.0",
        "System.Diagnostics.Debug": "4.3.0",
        "System.Diagnostics.Tracing": "4.3.0",
        "System.Globalization": "4.3.0",
        "System.Reflection": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Threading": "4.3.0",
        "System.Threading.Tasks": "4.3.0"
      }
    },
    "System.Diagnostics.Debug": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "ZUhUOdqmaG5Jk3Xdb8xi5kIyQYAA4PnTNlHx1mu9ZY3qv4ELIdKbnL/akbGaKi2RnNUWaZsAs31rvzFdewTj2g==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Runtime": "4.3.0"
      }
    },
    "System.Diagnostics.DiagnosticSource": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "frQDfv0rl209cKm1lnwTgFPzNigy2EKk1BS3uAvHvlBVKe5cymGyHO+Sj+NLv5VF/AhHsqPIUUwya5oV4CHMUw==",
      "dependencies": {
        "System.Runtime.CompilerServices.Unsafe": "6.0.0"
      }
    },
    "System.Diagnostics.EventLog": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "lcyUiXTsETK2ALsZrX+nWuHSIQeazhqPphLfaRxzdGaG93+0kELqpgEHtwWOlQe7+jSFnKwaCAgL4kjeZCQJnw=="
    },
    "System.Diagnostics.Tracing": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "rswfv0f/Cqkh78rA5S8eN8Neocz234+emGCtTF3lxPY96F+mmmUen6tbn0glN6PMvlKQb9bPAY5e9u7fgPTkKw==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Runtime": "4.3.0"
      }
    },
    "System.Globalization": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "kYdVd2f2PAdFGblzFswE4hkNANJBKRmsfa2X5LG2AcWE1c7/4t0pYae1L8vfZ5xvE2nK/R9JprtToA61OSHWIg==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Runtime": "4.3.0"
      }
    },
    "System.Globalization.Calendars": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "GUlBtdOWT4LTV3I+9/PJW+56AnnChTaOqqTLFtdmype/L500M2LIyXgmtd9X2P2VOkmJd5c67H5SaC2QcL1bFA==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Globalization": "4.3.0",
        "System.Runtime": "4.3.0"
      }
    },
    "System.Globalization.Extensions": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "FhKmdR6MPG+pxow6wGtNAWdZh7noIOpdD5TwQ3CprzgIE1bBBoim0vbR1+AWsWjQmU7zXHgQo4TWSP6lCeiWcQ==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "System.Globalization": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Runtime.InteropServices": "4.3.0"
      }
    },
    "System.IO": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "3qjaHvxQPDpSOYICjUoTsmoq5u6QJAFRUITgeT/4gqkF1bajbSmb1kwSxEA8AHlofqgcKJcM8udgieRNhaJ5Cg==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Runtime": "4.3.0",
        "System.Text.Encoding": "4.3.0",
        "System.Threading.Tasks": "4.3.0"
      }
    },
    "System.IO.FileSystem": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "3wEMARTnuio+ulnvi+hkRNROYwa1kylvYahhcLk4HSoVdl+xxTFVeVlYOfLwrDPImGls0mDqbMhrza8qnWPTdA==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.IO": "4.3.0",
        "System.IO.FileSystem.Primitives": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Handles": "4.3.0",
        "System.Text.Encoding": "4.3.0",
        "System.Threading.Tasks": "4.3.0"
      }
    },
    "System.IO.FileSystem.Primitives": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "6QOb2XFLch7bEc4lIcJH49nJN2HV+OC3fHDgsLVsBVBk3Y4hFAnOBGzJ2lUu7CyDDFo9IBWkSsnbkT6IBwwiMw==",
      "dependencies": {
        "System.Runtime": "4.3.0"
      }
    },
    "System.IO.Pipelines": {
      "type": "Transitive",
      "resolved": "6.0.3",
      "contentHash": "ryTgF+iFkpGZY1vRQhfCzX0xTdlV3pyaTTqRu2ETbEv+HlV7O6y7hyQURnghNIXvctl5DuZ//Dpks6HdL/Txgw=="
    },
    "System.IO.Pipes": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "wpGJuACA6r8+KRckXoI6ghGTwgPRiICI6T7kgHI/m7S5eMqV/8jH37fzAUhTwIe9RwlH/j1sWwm2Q2zyXwZGHw==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "System.Buffers": "4.3.0",
        "System.Diagnostics.Debug": "4.3.0",
        "System.IO": "4.3.0",
        "System.IO.FileSystem.Primitives": "4.3.0",
        "System.Net.Primitives": "4.3.0",
        "System.Net.Sockets": "4.3.0",
        "System.Reflection": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Runtime.Handles": "4.3.0",
        "System.Runtime.InteropServices": "4.3.0",
        "System.Security.Principal": "4.3.0",
        "System.Text.Encoding": "4.3.0",
        "System.Threading": "4.3.0",
        "System.Threading.Overlapped": "4.3.0",
        "System.Threading.Tasks": "4.3.0",
        "runtime.native.System": "4.3.0"
      }
    },
    "System.IO.Pipes.AccessControl": {
      "type": "Transitive",
      "resolved": "5.0.0",
      "contentHash": "P0FIsXSFNL1AXlHO9zpJ9atRUzVyoPZCkcbkYGZfXXMx9xlGA2H3HOGBwIhpKhB+h0eL3hry/z0UcfJZ+yb2kQ==",
      "dependencies": {
        "System.Security.AccessControl": "5.0.0",
        "System.Security.Principal.Windows": "5.0.0"
      }
    },
    "System.Linq": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "5DbqIUpsDp0dFftytzuMmc0oeMdQwjcP/EWxsksIz/w1TcFRkZ3yKKz0PqiYFMmEwPSWw+qNVqD7PJ889JzHbw==",
      "dependencies": {
        "System.Collections": "4.3.0",
        "System.Diagnostics.Debug": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0"
      }
    },
    "System.Net.Http.WinHttpHandler": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "jubNN9jH4NzVrvEf4fGwESLBsfH8whWNbHMhgM6IwA8UCt6+/M19bbOHc21JhigvC2HQKCl8HKGZMcBtIpzqIg=="
    },
    "System.Net.NameResolution": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "AFYl08R7MrsrEjqpQWTZWBadqXyTzNDaWpMqyxhb0d6sGhV6xMDKueuBXlLL30gz+DIRY6MpdgnHWlCh5wmq9w==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "System.Collections": "4.3.0",
        "System.Diagnostics.Tracing": "4.3.0",
        "System.Globalization": "4.3.0",
        "System.Net.Primitives": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Runtime.Handles": "4.3.0",
        "System.Runtime.InteropServices": "4.3.0",
        "System.Security.Principal.Windows": "4.3.0",
        "System.Threading": "4.3.0",
        "System.Threading.Tasks": "4.3.0",
        "runtime.native.System": "4.3.0"
      }
    },
    "System.Net.Primitives": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "qOu+hDwFwoZPbzPvwut2qATe3ygjeQBDQj91xlsaqGFQUI5i4ZnZb8yyQuLGpDGivEPIt8EJkd1BVzVoP31FXA==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Handles": "4.3.0"
      }
    },
    "System.Net.Requests": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "OZNUuAs0kDXUzm7U5NZ1ojVta5YFZmgT2yxBqsQ7Eseq5Ahz88LInGRuNLJ/NP2F8W1q7tse1pKDthj3reF5QA==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "System.Collections": "4.3.0",
        "System.Diagnostics.Debug": "4.3.0",
        "System.Diagnostics.Tracing": "4.3.0",
        "System.Globalization": "4.3.0",
        "System.IO": "4.3.0",
        "System.Net.Http": "4.3.0",
        "System.Net.Primitives": "4.3.0",
        "System.Net.WebHeaderCollection": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Threading": "4.3.0",
        "System.Threading.Tasks": "4.3.0"
      }
    },
    "System.Net.Security": {
      "type": "Transitive",
      "resolved": "4.3.2",
      "contentHash": "xT2jbYpbBo3ha87rViHoTA6WdvqOAW37drmqyx/6LD8p7HEPT2qgdxoimRzWtPg8Jh4X5G9BV2seeTv4x6FYlA==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.Win32.Primitives": "4.3.0",
        "System.Collections": "4.3.0",
        "System.Collections.Concurrent": "4.3.0",
        "System.Diagnostics.Tracing": "4.3.0",
        "System.Globalization": "4.3.0",
        "System.Globalization.Extensions": "4.3.0",
        "System.IO": "4.3.0",
        "System.Net.Primitives": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Runtime.Handles": "4.3.0",
        "System.Runtime.InteropServices": "4.3.0",
        "System.Security.Claims": "4.3.0",
        "System.Security.Cryptography.Algorithms": "4.3.0",
        "System.Security.Cryptography.Encoding": "4.3.0",
        "System.Security.Cryptography.OpenSsl": "4.3.0",
        "System.Security.Cryptography.Primitives": "4.3.0",
        "System.Security.Cryptography.X509Certificates": "4.3.0",
        "System.Security.Principal": "4.3.0",
        "System.Text.Encoding": "4.3.0",
        "System.Threading": "4.3.0",
        "System.Threading.Tasks": "4.3.0",
        "System.Threading.ThreadPool": "4.3.0",
        "runtime.native.System": "4.3.0",
        "runtime.native.System.Net.Security": "4.3.0",
        "runtime.native.System.Security.Cryptography.OpenSsl": "4.3.2"
      }
    },
    "System.Net.Sockets": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "m6icV6TqQOAdgt5N/9I5KNpjom/5NFtkmGseEH+AK/hny8XrytLH3+b5M8zL/Ycg3fhIocFpUMyl/wpFnVRvdw==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.IO": "4.3.0",
        "System.Net.Primitives": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Threading.Tasks": "4.3.0"
      }
    },
    "System.Net.WebHeaderCollection": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "XZrXYG3c7QV/GpWeoaRC02rM6LH2JJetfVYskf35wdC/w2fFDFMphec4gmVH2dkll6abtW14u9Rt96pxd9YH2A==",
      "dependencies": {
        "System.Collections": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0"
      }
    },
    "System.Reflection": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "KMiAFoW7MfJGa9nDFNcfu+FpEdiHpWgTcS2HdMpDvt9saK3y/G4GwprPyzqjFH9NTaGPQeWNHU+iDlDILj96aQ==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.IO": "4.3.0",
        "System.Reflection.Primitives": "4.3.0",
        "System.Runtime": "4.3.0"
      }
    },
    "System.Reflection.Primitives": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "5RXItQz5As4xN2/YUDxdpsEkMhvw3e6aNveFXUn4Hl/udNTCNhnKp8lT9fnc3MhvGKh1baak5CovpuQUXHAlIA==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Runtime": "4.3.0"
      }
    },
    "System.Resources.ResourceManager": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "/zrcPkkWdZmI4F92gL/TPumP98AVDu/Wxr3CSJGQQ+XN6wbRZcyfSKVoPo17ilb3iOr0cCRqJInGwNMolqhS8A==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Globalization": "4.3.0",
        "System.Reflection": "4.3.0",
        "System.Runtime": "4.3.0"
      }
    },
    "System.Runtime": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "JufQi0vPQ0xGnAczR13AUFglDyVYt4Kqnz1AZaiKZ5+GICq0/1MH/mO/eAJHt/mHW1zjKBJd7kV26SrxddAhiw==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0"
      }
    },
    "System.Runtime.CompilerServices.Unsafe": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "/iUeP3tq1S0XdNNoMz5C9twLSrM/TH+qElHkXWaPvuNOt+99G75NrV0OS2EqHx5wMN7popYjpc8oTjC1y16DLg=="
    },
    "System.Runtime.Extensions": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "guW0uK0fn5fcJJ1tJVXYd7/1h5F+pea1r7FLSOz/f8vPEqbR2ZAknuRDvTQ8PzAilDveOxNjSfr0CHfIQfFk8g==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Runtime": "4.3.0"
      }
    },
    "System.Runtime.Handles": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "OKiSUN7DmTWeYb3l51A7EYaeNMnvxwE249YtZz7yooT4gOZhmTjIn48KgSsw2k2lYdLgTKNJw/ZIfSElwDRVgg==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Runtime": "4.3.0"
      }
    },
    "System.Runtime.InteropServices": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "uv1ynXqiMK8mp1GM3jDqPCFN66eJ5w5XNomaK2XD+TuCroNTLFGeZ+WCmBMcBDyTFKou3P6cR6J/QsaqDp7fGQ==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Reflection": "4.3.0",
        "System.Reflection.Primitives": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Handles": "4.3.0"
      }
    },
    "System.Runtime.Numerics": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "yMH+MfdzHjy17l2KESnPiF2dwq7T+xLnSJar7slyimAkUh/gTrS9/UQOtv7xarskJ2/XDSNvfLGOBQPjL7PaHQ==",
      "dependencies": {
        "System.Globalization": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0"
      }
    },
    "System.Security.AccessControl": {
      "type": "Transitive",
      "resolved": "5.0.0",
      "contentHash": "dagJ1mHZO3Ani8GH0PHpPEe/oYO+rVdbQjvjJkBRNQkX4t0r1iaeGn8+/ybkSLEan3/slM0t59SVdHzuHf2jmw==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "5.0.0",
        "System.Security.Principal.Windows": "5.0.0"
      }
    },
    "System.Security.Claims": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "P/+BR/2lnc4PNDHt/TPBAWHVMLMRHsyYZbU1NphW4HIWzCggz8mJbTQQ3MKljFE7LS3WagmVFuBgoLcFzYXlkA==",
      "dependencies": {
        "System.Collections": "4.3.0",
        "System.Globalization": "4.3.0",
        "System.IO": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Security.Principal": "4.3.0"
      }
    },
    "System.Security.Cryptography.Algorithms": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "W1kd2Y8mYSCgc3ULTAZ0hOP2dSdG5YauTb1089T0/kRcN2MpSAW1izOFROrJgxSlMn3ArsgHXagigyi+ibhevg==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "System.Collections": "4.3.0",
        "System.IO": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Runtime.Handles": "4.3.0",
        "System.Runtime.InteropServices": "4.3.0",
        "System.Runtime.Numerics": "4.3.0",
        "System.Security.Cryptography.Encoding": "4.3.0",
        "System.Security.Cryptography.Primitives": "4.3.0",
        "System.Text.Encoding": "4.3.0",
        "runtime.native.System.Security.Cryptography.Apple": "4.3.0",
        "runtime.native.System.Security.Cryptography.OpenSsl": "4.3.0"
      }
    },
    "System.Security.Cryptography.Cng": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "03idZOqFlsKRL4W+LuCpJ6dBYDUWReug6lZjBa3uJWnk5sPCUXckocevTaUA8iT/MFSrY/2HXkOt753xQ/cf8g==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "System.IO": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Runtime.Handles": "4.3.0",
        "System.Runtime.InteropServices": "4.3.0",
        "System.Security.Cryptography.Algorithms": "4.3.0",
        "System.Security.Cryptography.Encoding": "4.3.0",
        "System.Security.Cryptography.Primitives": "4.3.0",
        "System.Text.Encoding": "4.3.0"
      }
    },
    "System.Security.Cryptography.Csp": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "X4s/FCkEUnRGnwR3aSfVIkldBmtURMhmexALNTwpjklzxWU7yjMk7GHLKOZTNkgnWnE0q7+BCf9N2LVRWxewaA==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "System.IO": "4.3.0",
        "System.Reflection": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Runtime.Handles": "4.3.0",
        "System.Runtime.InteropServices": "4.3.0",
        "System.Security.Cryptography.Algorithms": "4.3.0",
        "System.Security.Cryptography.Encoding": "4.3.0",
        "System.Security.Cryptography.Primitives": "4.3.0",
        "System.Text.Encoding": "4.3.0",
        "System.Threading": "4.3.0"
      }
    },
    "System.Security.Cryptography.Encoding": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "1DEWjZZly9ae9C79vFwqaO5kaOlI5q+3/55ohmq/7dpDyDfc8lYe7YVxJUZ5MF/NtbkRjwFRo14yM4OEo9EmDw==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "System.Collections": "4.3.0",
        "System.Collections.Concurrent": "4.3.0",
        "System.Linq": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Runtime.Handles": "4.3.0",
        "System.Runtime.InteropServices": "4.3.0",
        "System.Security.Cryptography.Primitives": "4.3.0",
        "System.Text.Encoding": "4.3.0",
        "runtime.native.System.Security.Cryptography.OpenSsl": "4.3.0"
      }
    },
    "System.Security.Cryptography.OpenSsl": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "h4CEgOgv5PKVF/HwaHzJRiVboL2THYCou97zpmhjghx5frc7fIvlkY1jL+lnIQyChrJDMNEXS6r7byGif8Cy4w==",
      "dependencies": {
        "System.Collections": "4.3.0",
        "System.IO": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Runtime.Handles": "4.3.0",
        "System.Runtime.InteropServices": "4.3.0",
        "System.Runtime.Numerics": "4.3.0",
        "System.Security.Cryptography.Algorithms": "4.3.0",
        "System.Security.Cryptography.Encoding": "4.3.0",
        "System.Security.Cryptography.Primitives": "4.3.0",
        "System.Text.Encoding": "4.3.0",
        "runtime.native.System.Security.Cryptography.OpenSsl": "4.3.0"
      }
    },
    "System.Security.Cryptography.Primitives": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "7bDIyVFNL/xKeFHjhobUAQqSpJq9YTOpbEs6mR233Et01STBMXNAc/V+BM6dwYGc95gVh/Zf+iVXWzj3mE8DWg==",
      "dependencies": {
        "System.Diagnostics.Debug": "4.3.0",
        "System.Globalization": "4.3.0",
        "System.IO": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Threading": "4.3.0",
        "System.Threading.Tasks": "4.3.0"
      }
    },
    "System.Security.Cryptography.X509Certificates": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "t2Tmu6Y2NtJ2um0RtcuhP7ZdNNxXEgUm2JeoA/0NvlMjAhKCnM1NX07TDl3244mVp3QU6LPEhT3HTtH1uF7IYw==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "System.Collections": "4.3.0",
        "System.Diagnostics.Debug": "4.3.0",
        "System.Globalization": "4.3.0",
        "System.Globalization.Calendars": "4.3.0",
        "System.IO": "4.3.0",
        "System.IO.FileSystem": "4.3.0",
        "System.IO.FileSystem.Primitives": "4.3.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Extensions": "4.3.0",
        "System.Runtime.Handles": "4.3.0",
        "System.Runtime.InteropServices": "4.3.0",
        "System.Runtime.Numerics": "4.3.0",
        "System.Security.Cryptography.Algorithms": "4.3.0",
        "System.Security.Cryptography.Cng": "4.3.0",
        "System.Security.Cryptography.Csp": "4.3.0",
        "System.Security.Cryptography.Encoding": "4.3.0",
        "System.Security.Cryptography.OpenSsl": "4.3.0",
        "System.Security.Cryptography.Primitives": "4.3.0",
        "System.Text.Encoding": "4.3.0",
        "System.Threading": "4.3.0",
        "runtime.native.System": "4.3.0",
        "runtime.native.System.Net.Http": "4.3.0",
        "runtime.native.System.Security.Cryptography.OpenSsl": "4.3.0"
      }
    },
    "System.Security.Principal": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "I1tkfQlAoMM2URscUtpcRo/hX0jinXx6a/KUtEQoz3owaYwl3qwsO8cbzYVVnjxrzxjHo3nJC+62uolgeGIS9A==",
      "dependencies": {
        "System.Runtime": "4.3.0"
      }
    },
    "System.Security.Principal.Windows": {
      "type": "Transitive",
      "resolved": "5.0.0",
      "contentHash": "t0MGLukB5WAVU9bO3MGzvlGnyJPgUlcwerXn1kzBRjwLKixT96XV0Uza41W49gVd8zEMFu9vQEFlv0IOrytICA=="
    },
    "System.Text.Encoding": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "BiIg+KWaSDOITze6jGQynxg64naAPtqGHBwDrLaCtixsa5bKiR8dpPOHA7ge3C0JJQizJE+sfkz1wV+BAKAYZw==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Runtime": "4.3.0"
      }
    },
    "System.Text.Encodings.Web": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "Vg8eB5Tawm1IFqj4TVK1czJX89rhFxJo9ELqc/Eiq0eXy13RK00eubyU6TJE6y+GQXjyV5gSfiewDUZjQgSE0w==",
      "dependencies": {
        "System.Runtime.CompilerServices.Unsafe": "6.0.0"
      }
    },
    "System.Text.Json": {
      "type": "Transitive",
      "resolved": "6.0.0",
      "contentHash": "zaJsHfESQvJ11vbXnNlkrR46IaMULk/gHxYsJphzSF+07kTjPHv+Oc14w6QEOfo3Q4hqLJgStUaYB9DBl0TmWg==",
      "dependencies": {
        "System.Runtime.CompilerServices.Unsafe": "6.0.0",
        "System.Text.Encodings.Web": "6.0.0"
      }
    },
    "System.Threading": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "VkUS0kOBcUf3Wwm0TSbrevDDZ6BlM+b/HRiapRFWjM5O0NS0LviG0glKmFK+hhPDd1XFeSdU1GmlLhb2CoVpIw==",
      "dependencies": {
        "System.Runtime": "4.3.0",
        "System.Threading.Tasks": "4.3.0"
      }
    },
    "System.Threading.Overlapped": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "m3HQ2dPiX/DSTpf+yJt8B0c+SRvzfqAJKx+QDWi+VLhz8svLT23MVjEOHPF/KiSLeArKU/iHescrbLd3yVgyNg==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "System.Resources.ResourceManager": "4.3.0",
        "System.Runtime": "4.3.0",
        "System.Runtime.Handles": "4.3.0"
      }
    },
    "System.Threading.Tasks": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "LbSxKEdOUhVe8BezB/9uOGGppt+nZf6e1VFyw6v3DN6lqitm0OSn2uXMOdtP0M3W4iMcqcivm2J6UgqiwwnXiA==",
      "dependencies": {
        "Microsoft.NETCore.Platforms": "1.1.0",
        "Microsoft.NETCore.Targets": "1.1.0",
        "System.Runtime": "4.3.0"
      }
    },
    "System.Threading.Tasks.Extensions": {
      "type": "Transitive",
      "resolved": "4.5.4",
      "contentHash": "zteT+G8xuGu6mS+mzDzYXbzS7rd3K6Fjb9RiZlYlJPam2/hU7JCBZBVEcywNuR+oZ1ncTvc/cq0faRr3P01OVg=="
    },
    "System.Threading.ThreadPool": {
      "type": "Transitive",
      "resolved": "4.3.0",
      "contentHash": "k/+g4b7vjdd4aix83sTgC9VG6oXYKAktSfNIJUNGxPEj7ryEOfzHHhfnmsZvjxawwcD9HyWXKCXmPjX8U4zeSw==",
      "dependencies": {
        "System.Runtime": "4.3.0",
        "System.Runtime.Handles": "4.3.0"
      }
    },
    "vtbf.common.logging.nlog": {
      "type": "Project",
      "dependencies": {
        "NLog": "[5.1.3, )",
        "NLog.Web.AspNetCore": "[5.2.3, )"
      }
    }
  }
}
}

@DmitriyLewen
Copy link
Contributor

Hello @cspwizard
Thanks for your report!

What version of Trivy were you using?
v0.40.0 only finds 6.0.0 version in your packages.lock.json:

What version of Trivy are you using?
v0.40.0 only finds version 6.0.0 in your packages.lock.json:

trivy -d fs -f json --list-all-pkgs . | grep '"Name": "System.Text.Encodings.Web"' -B 1 -A 1
          "ID": "[email protected]",
          "Name": "System.Text.Encodings.Web",
          "Version": "6.0.0",

@cspwizard
Copy link

cspwizard commented Apr 20, 2023
edited
Loading

@DmitriyLewen Hi! Thanks for a quick reply!

Version: 0.40.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-04-20 06:09:18.54061127 +0000 UTC
  NextUpdate: 2023-04-20 12:09:18.54061107 +0000 UTC
  DownloadedAt: 2023-04-20 08:35:09.300644769 +0000 UTC

I've triple checked and it appears that problem is in bin/Debug/net6.0/<project>.deps.json file, not in packages.lock.json, but I'm not sure why it is checked anyway? If I delete those deps.json files it works as expected

@DmitriyLewen
Copy link
Contributor

Trivy parses nuget files separately.
That is why Trivy found [email protected].

There are questions about nuget files(you can see that in this issue).
I don't know why your .deps.json and packages.lock.json files have different deps.

@cspwizard
Copy link

They have different version because we've updated to net7, and that debug folder is not updated, neither cleaned by dotnet clean ...

@DmitriyLewen
Copy link
Contributor

You can skip this dir, if you can't remove it(if it will break your project or something else)

@aquasecurity aquasecurity locked and limited conversation to collaborators May 10, 2023
@knqyf263 knqyf263 converted this issue into discussion #4282 May 10, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees

@DmitriyLewen DmitriyLewen

Labels
triage/support Indicates an issue that is a support question.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@ben-page @JoostvdB94 @cspwizard @jkone27 @plaisted @DmitriyLewen @pmuzyka-travix