Qualys scan showing vulnerabilities in SDK

[mthalman]

Running a Qualys vulnerability scan on a SDK installation yields several vulnerability results from NuGet package references. These are showing up in Qualys scans of the official .NET Docker images for the SDK (e.g. mcr.microsoft.com/dotnet/sdk:7.0) even though they have the latest SDK version installed.

CVE-2019-0820

References System.Text.RegularExpressions, version 4.3.0. Required version is 4.3.1.
Install location sources:

• sdk/7.0.103/package.deps.json
• sdk/7.0.103/vstest.console.deps.json
• sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json
• sdk/7.0.103/dotnet-watch.deps.json
• sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json

CVE-2022-34716

References System.Security.Cryptography.Xml, version 6.0.0. Required version is 6.0.1.
Install location sources:

• sdk/7.0.103/dotnet.deps.json
• sdk/7.0.103/MSBuild.deps.json
• sdk/7.0.103/FSharp/fsi.deps.json
• sdk/7.0.103/NuGet.CommandLine.XPlat.deps.json
• sdk/7.0.103/FSharp/fsc.deps.json

CVE-2021-24112

References System.Drawing.Common, version 4.7.0. Required version is 4.7.2.
Install location sources:

• sdk/7.0.103/Sdks/Microsoft.NET.ILLink.Tasks/tools/net7.0/ILLink.Tasks.deps.json

CVE-2018-8292

References System.Net.Http, version 4.3.0. Required version is 4.3.4.
Install location sources:

• sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json
• sdk/7.0.103/dotnet-watch.deps.json
• sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json

These all seem to be NuGet package reference issues but not an issue of the SDK actually containing any vulnerable binaries. It's not clear what causes things to be referencing these particular versions. It is important that these get addressed, however, since this nuance of "not actually containing vulnerable binaries" isn't good enough. The Qualys scanner is still identifying these and reporting them which would cause concern by customers.

[mthalman]

cc @marcpopMSFT @aortiz-msft @JonDouglas @baronfel

[richlander]

This bit of bash hacking tells the story.

System.Text.RegularExpressions

Required version is 4.3.1.

# find /usr/share/dotnet/sdk/7.0.103/ | grep .json | xargs grep System.Text.RegularExpressions | grep -v 4.3.1
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:          "System.Text.RegularExpressions": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:      "System.Text.RegularExpressions/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:          "System.Text.RegularExpressions": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:    "System.Text.RegularExpressions/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:          "System.Text.RegularExpressions": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:      "System.Text.RegularExpressions/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:          "System.Text.RegularExpressions": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:    "System.Text.RegularExpressions/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/vstest.console.deps.json:          "System.Text.RegularExpressions": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/vstest.console.deps.json:      "System.Text.RegularExpressions/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/vstest.console.deps.json:          "System.Text.RegularExpressions": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/vstest.console.deps.json:    "System.Text.RegularExpressions/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:          "System.Text.RegularExpressions": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:      "System.Text.RegularExpressions/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:          "System.Text.RegularExpressions": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:    "System.Text.RegularExpressions/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/Sdks/Microsoft.DotNet.ILCompiler/tools/netstandard/ILCompiler.Build.Tasks.deps.json:          "System.Text.RegularExpressions": "4.1.0",
/usr/share/dotnet/sdk/7.0.103/Sdks/Microsoft.DotNet.ILCompiler/tools/netstandard/ILCompiler.Build.Tasks.deps.json:          "System.Text.RegularExpressions": "4.1.0",
/usr/share/dotnet/sdk/7.0.103/Sdks/Microsoft.DotNet.ILCompiler/tools/netstandard/ILCompiler.Build.Tasks.deps.json:      "System.Text.RegularExpressions/4.1.0": {
/usr/share/dotnet/sdk/7.0.103/Sdks/Microsoft.DotNet.ILCompiler/tools/netstandard/ILCompiler.Build.Tasks.deps.json:          "lib/netstandard1.6/System.Text.RegularExpressions.dll": {
/usr/share/dotnet/sdk/7.0.103/Sdks/Microsoft.DotNet.ILCompiler/tools/netstandard/ILCompiler.Build.Tasks.deps.json:          "System.Text.RegularExpressions": "4.1.0",
/usr/share/dotnet/sdk/7.0.103/Sdks/Microsoft.DotNet.ILCompiler/tools/netstandard/ILCompiler.Build.Tasks.deps.json:          "System.Text.RegularExpressions": "4.1.0",
/usr/share/dotnet/sdk/7.0.103/Sdks/Microsoft.DotNet.ILCompiler/tools/netstandard/ILCompiler.Build.Tasks.deps.json:    "System.Text.RegularExpressions/4.1.0": {
/usr/share/dotnet/sdk/7.0.103/package.deps.json:          "System.Text.RegularExpressions": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/package.deps.json:      "System.Text.RegularExpressions/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/package.deps.json:          "System.Text.RegularExpressions": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/package.deps.json:    "System.Text.RegularExpressions/4.3.0": {

Let's check where the binary exists:

# find /usr/share/dotnet/shared | grep System.Text.RegularExpressions
/usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.3/System.Text.RegularExpressions.dll
# find /usr/share/dotnet/sdk | grep System.Text.RegularExpressions
/usr/share/dotnet/sdk/7.0.103/Microsoft/Microsoft.NET.Build.Extensions/net461/lib/System.Text.RegularExpressions.dll
/usr/share/dotnet/sdk/7.0.103/TestHostNetFramework/System.Text.RegularExpressions.dll

System.Security.Cryptography.Xml

Required version is 6.0.1.

# find /usr/share/dotnet/sdk/7.0.103/ | grep .json | xargs grep System.Security.Cryptography.Xml | grep -v 6.0.1
/usr/share/dotnet/sdk/7.0.103/NuGet.CommandLine.XPlat.deps.json:          "System.Security.Cryptography.Xml": "6.0.0",
/usr/share/dotnet/sdk/7.0.103/NuGet.CommandLine.XPlat.deps.json:      "System.Security.Cryptography.Xml/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/NuGet.CommandLine.XPlat.deps.json:          "lib/net6.0/System.Security.Cryptography.Xml.dll": {
/usr/share/dotnet/sdk/7.0.103/NuGet.CommandLine.XPlat.deps.json:    "System.Security.Cryptography.Xml/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/MSBuild.deps.json:          "System.Security.Cryptography.Xml": "6.0.0",
/usr/share/dotnet/sdk/7.0.103/MSBuild.deps.json:      "System.Security.Cryptography.Xml/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/MSBuild.deps.json:          "lib/net6.0/System.Security.Cryptography.Xml.dll": {
/usr/share/dotnet/sdk/7.0.103/MSBuild.deps.json:    "System.Security.Cryptography.Xml/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/dotnet.deps.json:          "System.Security.Cryptography.Xml": "6.0.0",
/usr/share/dotnet/sdk/7.0.103/dotnet.deps.json:      "System.Security.Cryptography.Xml/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/dotnet.deps.json:          "lib/net6.0/System.Security.Cryptography.Xml.dll": {
/usr/share/dotnet/sdk/7.0.103/dotnet.deps.json:    "System.Security.Cryptography.Xml/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsi.deps.json:          "System.Security.Cryptography.Xml": "6.0.0",
/usr/share/dotnet/sdk/7.0.103/FSharp/fsi.deps.json:      "System.Security.Cryptography.Xml/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsi.deps.json:          "lib/net6.0/System.Security.Cryptography.Xml.dll": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsi.deps.json:    "System.Security.Cryptography.Xml/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsc.deps.json:          "System.Security.Cryptography.Xml": "6.0.0",
/usr/share/dotnet/sdk/7.0.103/FSharp/fsc.deps.json:      "System.Security.Cryptography.Xml/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsc.deps.json:          "lib/net6.0/System.Security.Cryptography.Xml.dll": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsc.deps.json:    "System.Security.Cryptography.Xml/6.0.0": {

Let's check where the binary exists:

# find /usr/share/dotnet/shared | grep System.Security.Cryptography.Xml
/usr/share/dotnet/shared/Microsoft.AspNetCore.App/7.0.3/System.Security.Cryptography.Xml.dll
# find /usr/share/dotnet/sdk | grep System.Security.Cryptography.Xml
/usr/share/dotnet/sdk/7.0.103/System.Security.Cryptography.Xml.dll
/usr/share/dotnet/sdk/7.0.103/FSharp/System.Security.Cryptography.Xml.dll

System.Drawing.Common

Required version is 4.7.2.

# find /usr/share/dotnet/sdk/7.0.103/ | grep .json | xargs grep System.Drawing.Common | grep -v 4.7.2
/usr/share/dotnet/sdk/7.0.103/NuGet.CommandLine.XPlat.deps.json:      "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/NuGet.CommandLine.XPlat.deps.json:          "lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/NuGet.CommandLine.XPlat.deps.json:          "runtimes/unix/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/NuGet.CommandLine.XPlat.deps.json:          "runtimes/win/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/NuGet.CommandLine.XPlat.deps.json:          "System.Drawing.Common": "6.0.0"
/usr/share/dotnet/sdk/7.0.103/NuGet.CommandLine.XPlat.deps.json:    "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:      "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:          "lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:          "runtimes/unix/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:          "runtimes/win/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:          "System.Drawing.Common": "6.0.0"
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:    "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:      "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:          "lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:          "runtimes/unix/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:          "runtimes/win/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:          "System.Drawing.Common": "6.0.0"
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:    "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/MSBuild.deps.json:      "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/MSBuild.deps.json:          "lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/MSBuild.deps.json:          "runtimes/unix/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/MSBuild.deps.json:          "runtimes/win/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/MSBuild.deps.json:          "System.Drawing.Common": "6.0.0"
/usr/share/dotnet/sdk/7.0.103/MSBuild.deps.json:    "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:      "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:          "lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:          "runtimes/unix/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:          "runtimes/win/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:          "System.Drawing.Common": "6.0.0"
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:    "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/dotnet.deps.json:      "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/dotnet.deps.json:          "lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/dotnet.deps.json:          "runtimes/unix/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/dotnet.deps.json:          "runtimes/win/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/dotnet.deps.json:          "System.Drawing.Common": "6.0.0"
/usr/share/dotnet/sdk/7.0.103/dotnet.deps.json:    "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsi.deps.json:      "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsi.deps.json:          "lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsi.deps.json:          "runtimes/unix/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsi.deps.json:          "runtimes/win/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsi.deps.json:          "System.Drawing.Common": "6.0.0"
/usr/share/dotnet/sdk/7.0.103/FSharp/fsi.deps.json:    "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsc.deps.json:      "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsc.deps.json:          "lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsc.deps.json:          "runtimes/unix/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsc.deps.json:          "runtimes/win/lib/net6.0/System.Drawing.Common.dll": {
/usr/share/dotnet/sdk/7.0.103/FSharp/fsc.deps.json:          "System.Drawing.Common": "6.0.0"
/usr/share/dotnet/sdk/7.0.103/FSharp/fsc.deps.json:    "System.Drawing.Common/6.0.0": {
/usr/share/dotnet/sdk/7.0.103/Sdks/Microsoft.NET.ILLink.Tasks/tools/net7.0/ILLink.Tasks.deps.json:      "System.Drawing.Common/4.7.0": {
/usr/share/dotnet/sdk/7.0.103/Sdks/Microsoft.NET.ILLink.Tasks/tools/net7.0/ILLink.Tasks.deps.json:
"System.Drawing.Common": "4.7.0"
/usr/share/dotnet/sdk/7.0.103/Sdks/Microsoft.NET.ILLink.Tasks/tools/net7.0/ILLink.Tasks.deps.json:    "System.Drawing.Common/4.7.0": {

Let's check where the binary exists:

# find /usr/share/dotnet/shared | grep System.Drawing.Common
# find /usr/share/dotnet/sdk | grep System.Drawing.Common
/usr/share/dotnet/sdk/7.0.103/System.Drawing.Common.dll
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/System.Drawing.Common.dll
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/runtimes/unix/lib/net6.0/System.Drawing.Common.dll
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/runtimes/win/lib/net6.0/System.Drawing.Common.dll
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/System.Drawing.Common.dll
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/runtimes/unix/lib/net6.0/System.Drawing.Common.dll
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/runtimes/win/lib/net6.0/System.Drawing.Common.dll
/usr/share/dotnet/sdk/7.0.103/runtimes/unix/lib/net6.0/System.Drawing.Common.dll
/usr/share/dotnet/sdk/7.0.103/runtimes/win/lib/net6.0/System.Drawing.Common.dll
/usr/share/dotnet/sdk/7.0.103/FSharp/System.Drawing.Common.dll
/usr/share/dotnet/sdk/7.0.103/FSharp/runtimes/unix/lib/net6.0/System.Drawing.Common.dll
/usr/share/dotnet/sdk/7.0.103/FSharp/runtimes/win/lib/net6.0/System.Drawing.Common.dll

System.Net.Http

Required version is 4.3.4.

# find /usr/share/dotnet/sdk/7.0.103/ | grep .json | xargs grep System.Net.Http | grep -v 4.3.4
/usr/share/dotnet/sdk/7.0.103/Microsoft.TestPlatform.PlatformAbstractions.deps.json:      "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/Microsoft.TestPlatform.PlatformAbstractions.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/Microsoft.TestPlatform.PlatformAbstractions.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/Microsoft.TestPlatform.PlatformAbstractions.deps.json:    "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:          "System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:      "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:      "System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:    "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json:    "System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:          "System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:      "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:      "System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:    "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json:    "System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/vstest.console.deps.json:      "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/vstest.console.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/vstest.console.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/vstest.console.deps.json:    "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/Microsoft.VisualStudio.TestPlatform.ObjectModel.deps.json:      "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/Microsoft.VisualStudio.TestPlatform.ObjectModel.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/Microsoft.VisualStudio.TestPlatform.ObjectModel.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/Microsoft.VisualStudio.TestPlatform.ObjectModel.deps.json:    "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:          "System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:      "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:      "System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:    "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/dotnet-watch.deps.json:    "System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/Roslyn/Microsoft.Build.Tasks.CodeAnalysis.deps.json:      "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/Roslyn/Microsoft.Build.Tasks.CodeAnalysis.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/Roslyn/Microsoft.Build.Tasks.CodeAnalysis.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/Roslyn/Microsoft.Build.Tasks.CodeAnalysis.deps.json:    "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/datacollector.deps.json:      "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/datacollector.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/datacollector.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/datacollector.deps.json:    "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/package.deps.json:      "runtime.native.System.Net.Http/4.3.0": {
/usr/share/dotnet/sdk/7.0.103/package.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/package.deps.json:          "runtime.native.System.Net.Http": "4.3.0",
/usr/share/dotnet/sdk/7.0.103/package.deps.json:    "runtime.native.System.Net.Http/4.3.0": {

Let's check where the binary exists:

# find /usr/share/dotnet/shared | grep System.Net.Http
/usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.3/System.Net.HttpListener.dll
/usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.3/System.Net.Http.Json.dll
/usr/share/dotnet/shared/Microsoft.NETCore.App/7.0.3/System.Net.Http.dll
# find /usr/share/dotnet/sdk | grep System.Net.Http
/usr/share/dotnet/sdk/7.0.103/Microsoft/Microsoft.NET.Build.Extensions/net471/lib/System.Net.Http.dll
/usr/share/dotnet/sdk/7.0.103/Microsoft/Microsoft.NET.Build.Extensions/net461/lib/System.Net.Http.dll
/usr/share/dotnet/sdk/7.0.103/TestHostNetFramework/System.Net.Http.dll

[KalleOlaviNiemitalo]

find /usr/share/dotnet/sdk/7.0.103/*.json is not the correct way to use find; that expands the glob in the shell already, so find then only echoes each argument. Instead use find /usr/share/dotnet/sdk/7.0.103 -name "*.json", which also finds JSON files in subdirectories.

[richlander]

Ooops! You were so right. Thanks for the tip. I ended up doing it a tiny bit differently.

[mthalman]

This is now also showing up in scans from Trivy (see #31074).

Simple repro using Docker:

docker run --rm aquasec/trivy image mcr.microsoft.com/dotnet/sdk:7.0-alpine

2023-03-08T20:15:25.156Z        INFO    Detecting dotnet-core vulnerabilities...

mcr.microsoft.com/dotnet/sdk:7.0-alpine (alpine 3.17.2)
=======================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/share/dotnet/sdk/7.0.201/DotnetTools/dotnet-format/dotnet-format.deps.json (dotnet-core)
============================================================================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ System.Net.Http                │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication   │
│                                │               │          │                   │               │ information exposed in a redirect...                      │
│                                │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                 │
├────────────────────────────────┼───────────────┤          │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │          │                   │ 4.3.1         │ dotnet: timeouts for regular expressions are not enforced │
│                                │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0820                 │
└────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

usr/share/dotnet/sdk/7.0.201/DotnetTools/dotnet-watch/7.0.201-servicing.23116.14/tools/net7.0/any/dotnet-watch.deps.json (dotnet-core)
======================================================================================================================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ System.Net.Http                │ CVE-2018-8292 │ HIGH     │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication   │
│                                │               │          │                   │               │ information exposed in a redirect...                      │
│                                │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                 │
├────────────────────────────────┼───────────────┤          │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │          │                   │ 4.3.1         │ dotnet: timeouts for regular expressions are not enforced │
│                                │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0820                 │
└────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

usr/share/dotnet/sdk/7.0.201/FSharp/fsc.deps.json (dotnet-core)
===============================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌──────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│             Library              │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                         Title                          │
├──────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml │ CVE-2022-34716 │ MEDIUM   │ 6.0.0             │ 6.0.1, 4.7.1  │ dotnet: External Entity Injection during XML signature │
│                                  │                │          │                   │               │ verification                                           │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-34716             │
└──────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

usr/share/dotnet/sdk/7.0.201/FSharp/fsi.deps.json (dotnet-core)
===============================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌──────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│             Library              │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                         Title                          │
├──────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml │ CVE-2022-34716 │ MEDIUM   │ 6.0.0             │ 6.0.1, 4.7.1  │ dotnet: External Entity Injection during XML signature │
│                                  │                │          │                   │               │ verification                                           │
│                                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-34716             │
└──────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

usr/share/dotnet/sdk/7.0.201/Sdks/Microsoft.NET.ILLink.Tasks/tools/net7.0/ILLink.Tasks.deps.json (dotnet-core)
==============================================================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

┌───────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                    Title                    │
├───────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────┤
│ System.Drawing.Common │ CVE-2021-24112 │ CRITICAL │ 4.7.0             │ 5.0.3, 4.7.2  │ dotnet: Remote Code Execution Vulnerability │
│                       │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-24112  │
└───────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────┘

usr/share/dotnet/sdk/7.0.201/package.deps.json (dotnet-core)
============================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │ HIGH     │ 4.3.0             │ 4.3.1         │ dotnet: timeouts for regular expressions are not enforced │
│                                │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0820                 │
└────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

usr/share/dotnet/sdk/7.0.201/vstest.console.deps.json (dotnet-core)
===================================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │ HIGH     │ 4.3.0             │ 4.3.1         │ dotnet: timeouts for regular expressions are not enforced │
│                                │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0820                 │
└────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

[tmds]

cc @omajid

[omajid]

We have received similar reports for our builds of .NET. It looks like source-build is equally affected by these issues (even though, like the issue description says, source-built SDK is "not actually containing vulnerable binaries").

[thiagoloureiro]

Having lots of those warnings from my apps (all of them running on .net 7) with latest images. this comes from Azure.

Any thoughts when this will be fixed??

[TravisEz13]

PowerShell is having a similar issue with System.Private.Uri adding through a long chain of dependencies starting with,
https://www.nuget.org/packages/NJsonSchema/ ->
https://www.nuget.org/packages/Namotion.Reflection/ ->
https://www.nuget.org/packages/Microsoft.CSharp/4.3.0 ->
https://www.nuget.org/packages/System.Runtime/4.3.0 (through it's runtime) - >
System.Private.Uri

[git-smita]

any plans to fix the System.Drawing.Common [CVE-2021-24112] issues as the .deps.json points to a vuln version though as per KB the SDK version is not vulnerable.

System.Drawing.Common [CVE-2021-24112] is a false positive for 6.0 dotnet SDK.

Many scanners rely on the .deps.json file data.

[Styxxy]

Any update on this? The Azure Security Advisory is being spammed with this false positive. It makes it really hard to weed out true and false positives.

[shayansiddiqui]

Any update on this? We are facing issues with vulnerable version of System.Drawing,Common.

[KalleOlaviNiemitalo]

Newtonsoft.Json was upgraded to 13.0.1 just to satisfy vulnerability scanners, according to #31382 (comment).

The same doesn't seem to have been done to System.Drawing.Common. In .NET SDK 6.0.410 and .NET SDK 7.0.107, ILLink.Tasks.deps.json still references "System.Security.Permissions/4.7.0" → "System.Windows.Extensions/4.7.0" → "System.Drawing.Common/4.7.0".

In .NET 8, dotnet/runtime#82259 made System.Configuration.ConfigurationManager not depend on System.Security.Permissions. That change won't remove the System.Drawing.Common reference from ILLink.Tasks.deps.json though, because there are indirect dependencies via Microsoft.Build.Framework and Microsoft.Build.Utilities.Core as well. I don't know whether anything has been done to those.

[hoerup]

This is still an issue - especially the CVE-2021-24112 that is marked as critically by scan tools - any prospect of getting this resolved soon ?

[KalleOlaviNiemitalo]

The System.Drawing.Common reference in MSBuild was fixed as dotnet/msbuild#8962. That change is also on the vs17.8 branch, but not yet in .NET SDK 8.0.0-rc.1.

[hoerup]

just did a trivy scan of sdk 8.0.100-rc2 container image - and it still flags System.Drawing.Common 4.7.0 in usr/share/dotnet/sdk/8.0.100-rc.2.23502.2/Roslyn/Microsoft.Build.Tasks.CodeAnalysis.deps.json

[anshupandey0407]

Team, please help with below vulnerabilities.. these are for image - mcr.microsoft.com/dotnet/sdk:8.0

[hoerup]

the scanner warnings are still present in sdk 8.0.100 GA image :(

[hilari0n]

Not sure if it's the same or just a similar issue.
If you use a newest SDK v.6.0.417 (or 8.0.100) to create a minimalistic project for .NET 6.0 (or 8.0), e.g.:

dotnet new console --name minimum-test-project -f net6.0

and add a reference e.g. to System.Runtime (this is a quite common indirect reference from many NuGet packages used in larger-scale projects, and already mentioned in one of the previous posts in this thread), e.g. like this (version 4.3.1 is currently the newest available):

dotnet add package System.Runtime -v 4.3.1

and publish it for e.g. linux-x64, e.g. like this:

dotnet publish -r linux-x64 --no-self-contained -c Release -o /app

then scanners like Qualys or BlackDuck will report vulnerabilities in it - in this case in System.Private.Uri.
Apparently its because the project's *.deps.json file will list a reference to System.Private.Uri version 4.3.0, (which seems to be runtime specific indirect reference via runtime.any.System.Runtime version 4.3.0, referenced by System.Runtime), as the System.Private.Uri library in such a version is not present in the project result folder or in the environment where the scan is done.

Adding information on intended runtime version, e.g.:

<RuntimeFrameworkVersion>6.0.25</RuntimeFrameworkVersion>

does not change much - still the same runtime-specific references with the same versions appear.

It's unclear to me, if it's something indicating an actual security issue in an application, which needs to be resolved or rather a false-positive based on a convoluted and largely undocumented role of *.deps.json being misinterpreted by the scanners?
If it needs to be addressed, then for a case like I described above, you'd have to add a direct reference to the System.Private.Uri package, with version 4.3.1 or higher. Which is - as the package's own description - not intended for such use ("Internal implementation package not meant for direct consumption. Please do not reference directly.").

Here's a Dockerfile I used to produce the content for the scanners (put it in an empty folder - no other files are needed):

FROM --platform=amd64 mcr.microsoft.com/dotnet/sdk:6.0-alpine-amd64 AS build
WORKDIR /src
RUN dotnet new console --name minimum-test-project -f net6.0
WORKDIR /src/minimum-test-project
RUN dotnet add package System.Runtime -v 4.3.1
#RUN dotnet add package System.Private.Uri -v 4.3.2
RUN dotnet publish -r linux-x64 --no-self-contained -c Release -o /app

FROM --platform=amd64 mcr.microsoft.com/dotnet/runtime:6.0-alpine-amd64 AS result
WORKDIR /app
COPY --from=build /app /app/
ENTRYPOINT [ "dotnet", "minimum-test-project.dll" ]

[tremblaysimon]

It's unclear to me, if it's something indicating an actual security issue in an application, which needs to be resolved or rather a false-positive based on a convoluted and largely undocumented role of *.deps.json being misinterpreted by the scanners? If it needs to be addressed, then for a case like I described above, you'd have to add a direct reference to the System.Private.Uri package, with version 4.3.1 or higher. Which is - as the package's own description - not intended for such use ("Internal implementation package not meant for direct consumption. Please do not reference directly.").

That point should be addressed. When there is a lot of false positive in Security Scanner, what is the true benefit to use it?

Because as it was stated the problem is also found in Aqua Trivy.

For you information, there is no problem with Artifactory Xray since it seems to rely on nuget component, not on cryptic *.deps.json files.

[justindbaur]

.NET's own CLI will show these false positives if you run dotnet list package --vulnerable --include-transitive. I can maybe excuse 3rd party tools reporting false positives but your own tooling needs to get this right.

[richlander]

Can you share the project file you are using?

[justindbaur]

@richlander I'm running the above command at the solution level of https://github.com/bitwarden/server but if you want to just run it on a project you can do src/Core and this is the project file.

https://github.com/bitwarden/server/blob/3c76f48bdc0f38d97214bd688b438888ca012968/src/Core/Core.csproj

We are targeting .net8.0 through a Directory.Build.props file.

[richlander]

Thanks for sharing. That's very useful.

I see:

dotnet list package --vulnerable --include-transitive

The following sources were used:
   https://api.nuget.org/v3/index.json

Project `Core` has the following vulnerable packages
   [net8.0]: 
   Transitive Package                    Resolved   Severity   Advisory URL                                     
   > Azure.Identity                      1.10.3     Moderate   https://github.com/advisories/GHSA-wvxc-855f-jvrv
   > Microsoft.Identity.Client           4.56.0     Low        https://github.com/advisories/GHSA-x674-v45j-fwxw
   > System.Drawing.Common               4.7.0      Critical   https://github.com/advisories/GHSA-rxg9-xrhp-64gj
   > System.Net.Http                     4.3.0      High       https://github.com/advisories/GHSA-7jgj-8wvc-jh57
   > System.Text.RegularExpressions      4.3.0      High       https://github.com/advisories/GHSA-cmhx-cq75-c4mj

A quick look suggests that the first three hits are real and the last two are false positives. I'll ask the team about this.

[JonDouglas]

Currently, we don't have advanced features to minimize false positives, like static analysis tools that determine if a vulnerable code path is actually reachable. We are considering implementing tools similar to the vulncheck feature in Go to improve our analysis. This would require further development to enhance the accuracy of our results. As of now, we are at a preliminary stage where we alert you to security vulnerabilities, and you will need to assess their potential risk yourself.

[justindbaur]

Thanks @JonDouglas, static analysis tools would be amazing, I think those would help with a couple of the other vulnerable packages we have. I'd love to help implement the medium-term improvements though but I'll move that into the linked issue. Thanks to both of you for your help!

[hilari0n]

Currently, we don't have advanced features to minimize false positives, like static analysis tools that determine if a vulnerable code path is actually reachable.

The issue here does not seem to be requiring advanced analysis. The issue is, that the package version reported as referenced (indirectly), is not actually delivered with the application, as those packages come from the runtime (or ASP.Net runtime) itself. So whatever version would be referenced (directly or indirectly), would have no impact on the library version actually present. So it's either that the application would be vulnerable, if a vulnerable version of the runtime is used, or the application is not vulnerable, because a non-vulnerable version of the runtime is used. And all of it is regardless, if the application utilizes anything of that library or not, So having the library listed as referenced and delivered with the application is already an error, (which then translates to reporting a vulnerability as if it was in the application, while it is not).

[baronfel]

We're trying to stamp these out in our in-support versions, but .NET 7 is now out of support so we're not going to invest in getting it clean. Closing this issue as a result.

[hilari0n]

As mentioned, this happens also with 6.0, which is not out of support.

[baronfel]

You're right @hilari0n there are two main problems left in the 6.0 SDK at this point:

• NuGet.Packaging - tracked by dotnet 6.0.26+ SDK NuGet.Packaging Dependencies Vulnerable? #40355 but really will only be solved by https://github.com/NuGet/Client.Engineering/issues/2735
• System.Drawing.Common in the ILLink.Tasks - this is coming in because of a transitive dependency of Microsoft.Build.Framework. We had to fix this for other SDKs recently - checking if that got backported to a version that would work on .NET 6. Is System.drawing.common vulnerable to CVE-2021-24112 in .Net SDK 6.0 #29927 (comment)

[marlenkassym]

So are these to be treated as false positives? Where can information be found that suggests the later version of SDK are not affected?

The two vulnerabilities below are still being reported by Defender for Cloud in dotnet sdk v6.0.135.

CVE-2018-8292
Evidence
/usr/lib/dotnet/sdk/6.0.135/DotnetTools/dotnet-format/dotnet-format.deps.json
/usr/lib/dotnet/sdk/6.0.135/DotnetTools/dotnet-watch/6.0.135-servicing.24466.24/tools/net6.0/any/dotnet-watch.deps.json
/usr/lib/dotnet/sdk/6.0.135/FSharp/fsc.deps.json
/usr/lib/dotnet/sdk/6.0.135/FSharp/fsi.deps.json
/usr/lib/dotnet/sdk/6.0.135/dotnet-watch.deps.json

CVE-2019-0820
Evidence
/usr/lib/dotnet/sdk/6.0.135/DotnetTools/dotnet-format/dotnet-format.deps.json
/usr/lib/dotnet/sdk/6.0.135/DotnetTools/dotnet-watch/6.0.135-servicing.24466.24/tools/net6.0/any/dotnet-watch.deps.json
/usr/lib/dotnet/sdk/6.0.135/MSBuild.deps.json
/usr/lib/dotnet/sdk/6.0.135/NuGet.CommandLine.XPlat.deps.json
/usr/lib/dotnet/sdk/6.0.135/dotnet-watch.deps.json

[richlander]

These are all false positives. At this point, they will not be addressed with 6.0, which is very late in its lifespan. We are committed to addressing true positive security vulnerabilities in 6.0 while it remains in support. We are working on a systematic solution to this problem. We'd rather spend our effort on that.

There are multiple phases to dotnet build. dotnet restore is part of that and is flagging the vulnerabilities. A later part of the build removes the vulnerable references from the package graph such that they are not present. dotnet restore doesn't know this. In short, the project is to move the graph trimming to dotnet restore to make the entire build more consistent and to report correct audit results. Unfortunately, it's not as simple as moving a method call to another location. We need to move logic from msbuild to NuGet and the feature needs to be re-designed to be both better and more generic. It's a significant project so is going to take some time. Fortunately, it is in progress.

@ericstj @nkolev92 @baronfel

FYI: Please correct me MS folks if I got this wrong.