NuGet client (via dotnet SDK) incorrectly warns about vulnerable NuGet packages hoisted by the shared runtime

[halter73]

I originally filed this issue against the dotnet SDK dotnet/sdk#43063, but the bot asked me to post this here. I'm not sure how much visibility NuGet has into what packages are hoisted by the shared runtime, but the issue is as follows:

Describe the bug

If you add a PackageReference to a project pointing to a vulnerable package version, dotnet commands like restore, build, run, and list package --vulnerable --include-transitive will report inaccurate vulnerability warnings for packages that are hoisted to a newer, non-vulnerable version by the shared runtime.

In my repro project at https://github.com/halter73/NuGetVulnerabilityFalsePositive, I demonstrate this with a direct PackageReference to System.Text.Json 8.0.3, but the problem persists for transitive references which is harder to work around.

In the case of transitive dependencies, you cannot avoid the issue by simply removing the PackageReference. Instead, developers are forced to directly reference the packages that are falsely reported as vulnerable to get rid of warnings. This is demonstrated by dotnet/aspnetcore#57560 which tries to update the ASP.NET Core project templates so they do not produce NuGet vulnerability warnings. We would rather not be forced to reference packages that are part of the shared runtime.

To Reproduce

• Clone the https://github.com/halter73/NuGetVulnerabilityFalsePositive repo
• Run dotnet build

Exceptions (if any)

PS C:\dev\temp\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive> dotnet run
C:\dev\temp\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive.csproj : wa
rning NU1903: Package 'System.Text.Json' 8.0.3 has a known high severity vulnerability, https://github.com/advisories/G
HSA-hh2w-p6rv-4g7w
C:\dev\temp\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive.csproj : wa
rning NU1903: Package 'System.Text.Json' 8.0.3 has a known high severity vulnerability, https://github.com/advisories/G
HSA-hh2w-p6rv-4g7w

{"systemTextJsonPath":"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\8.0.8\\System.Text.Json.dll"}

Further technical details

dotnet --info (expand for details)

.NET SDK:
 Version:           8.0.401
 Commit:            811edcc344
 Workload version:  8.0.400-manifests.dd15fcf9
 MSBuild version:   17.11.4+37eb419ad

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.22631
 OS Platform: Windows
 RID:         win-x64
 Base Path:   C:\Program Files\dotnet\sdk\8.0.401\

.NET workloads installed:
Configured to use loose manifests when installing new manifests.
 [wasm-tools]
   Installation Source: VS 17.12.35214.114
   Manifest Version:    8.0.8/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.workload.mono.toolchain.current\8.0.8\WorkloadManifest.json
   Install Type:        FileBased

 [aspire]
   Installation Source: VS 17.12.35227.331
   Manifest Version:    8.1.0/8.0.100
   Manifest Path:       C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.aspire\8.1.0\WorkloadManifest.json
   Install Type:        FileBased

Host:
  Version:      9.0.0-preview.7.24405.7
  Architecture: x64
  Commit:       static

.NET SDKs installed:
  7.0.200 [C:\Program Files\dotnet\sdk]
  8.0.304 [C:\Program Files\dotnet\sdk]
  8.0.401 [C:\Program Files\dotnet\sdk]
  9.0.100-preview.7.24407.12 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 6.0.32 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 7.0.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.0-preview.7.24406.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 6.0.32 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 6.0.33 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 7.0.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.0-preview.7.24405.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 6.0.32 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 6.0.33 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 7.0.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 7.0.20 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 8.0.7 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 9.0.0-preview.7.24405.2 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Other architectures found:
  x86   [C:\Program Files (x86)\dotnet]
    registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]

Environment variables:
  Not set

global.json file:
  C:\dev\temp\NuGetVulnerabilityFalsePositive\global.json

VS Version: 17.12.0 Preview 2.0 [35227.331.main]

@Tragetaschen commented on the original issue pointing out the following.

I can see a myriad of warnings in our codebase, but not with 8.0.401, only with the preview bits. Basically everywhere

    …csproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm
    …csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w

Those packages are not referenced explicitly and we are building for 8.0.8.

.NET SDK:
 Version:           9.0.100-preview.7.24407.12
 Commit:            d672b8a045
 Workload version:  9.0.100-manifests.baed1e37
 MSBuild version:   17.12.0-preview-24374-02+48e81c6f1

Neither 8.0.401 nor 9.0.100-… show a vulnerability when running dotnet list package --include-transitive --vulnerable

As you can see from my repro above, this bug does present itself even with 8.0.401 SDK specified in the global.json. The host version is 9.0.100-preview.7.24407.12, so that might have something to do with it.

I almost pointed to dotnet/runtime#106172 being related, because that is proximate cause for the System.Text.Json warning to show up in the RC1 ASP.NET Core project templates but not the preview7 one, but RC1 hasn't been released yet unless you're using https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet9/nuget/v3/index.json as a package feed. So, I think this regression probably does have something to do with the host version.

[halter73]

After finding some better search terms (basically looking for anything referencing "dotnet list package --vulnerable"), I found the following related issues:

• Support "Supplied by Platform" scenario in restore #7344
• [Feature]: Make dotnet list package --vulnerable take the target framework into account #11786
• dotnet list packages should not report false positives for assemblies in shared directory #13405
• Qualys scan showing vulnerabilities in SDK dotnet/sdk#30659

This can probably be closed as a dupe of one of them.

[nkolev92]

#7344 is the best dup, since it talks about removing packages from the package completely.

[dotnet-policy-service]

no assignees Issue is missing Type label, remember to add a Type label

[nkolev92]

Some quick clarifications on what Supplied by platform can/cannot do.

• It targets scenarios where there's a package in the project graph, if there's no package, nothing changes.
• There'll be some logic to figure out which packages are newer in the runtime that would potentially be used based on what that particular SDK knows.