dotnet-deps-binary-cataloger selects package versions that are written over by the runtime

[WesHaze]

What happened:
Generated a sbom for an application that references an old dotnet standard package that is written over by the runtime. But the sbom contained the package reference version and not the runtime version which is actually contained in the output folder. This can cause false positive/negatives and is detrimental to sbom quality/actionability.

What you expected to happen:
If I build in a certain dotnet version including a package reference with a version that is lower than what is listed under the runtime dependencies dotnet will resolve the dependency from the sdk version.

These packages are still referenced for dotnet standard compatability, but are these days included in the sdk/runtime and will be written over by them when building.
They're listed here for the runtime's master but you should reference the tag for the version you build with.
Blazor WASM for example extends these because they also need certain wasm packages.

Microsoft themselves at one point maintained a list with some of these for aspnet, but its not complete and its applied here.
In their own component detector (their equivelent of our cataloger) they used such lists to exclude these entries.

You could do the same by writing an app that dynamicly builds these projects with plausable projects to generate such a list, which is not unlike what they have done. But this seems unfruitfull and needlessly complex as they themselves missed Systems.Numeric.Vector for example.
It's far easier to compare the deps.json runtime section with the package entries in the same file.
The version of the package would then be set to the version you built with to accurately reflect the resolved version.

I think its worth considering if these should be included to begin with as they often do not exist on NuGet and vulnerabilities in these cases are listed under cve's that adress the sdk. Maybe this deserves a seperate issue.

(same section)

And under the packages:

The DLL in ILSPY

Steps to reproduce the issue:
syft scan the outputfolder of a dotnet project which references for example System.Security.Cng:5.0.0 or any of the packages that are now included in the runtime/sdk

Environment:

• Output of syft version: 1.31.0
• OS (e.g: cat /etc/os-release or similar): win-x64

[wagoodman]

Diving a little bit more:

  "targets": {
    ".NETCoreApp,Version=v8.0": {},
    ".NETCoreApp,Version=v8.0/win-x64": {
      "dotnetapp/1.0.0": {
        "dependencies": {
          "Humanizer": "2.14.1",
          "Newtonsoft.Json": "13.0.3",
          "runtimepack.Microsoft.NETCore.App.Runtime.win-x64": "8.0.14"
        },
        "runtime": {
          "dotnetapp.dll": {}
        }
      },
      "runtimepack.Microsoft.NETCore.App.Runtime.win-x64/8.0.14": {
        "runtime": {
          "Microsoft.CSharp.dll": {
            "assemblyVersion": "8.0.0.0",
            "fileVersion": "8.0.1425.11118"
          },
          "Microsoft.VisualBasic.Core.dll": {
            "assemblyVersion": "13.0.0.0",
            "fileVersion": "13.0.1425.11118"
          },
...
  "libraries": {
    "dotnetapp/1.0.0": {
      "type": "project",
      "serviceable": false,
      "sha512": ""
    },
    "runtimepack.Microsoft.NETCore.App.Runtime.win-x64/8.0.14": {
      "type": "runtimepack",  <--- this!
      "serviceable": false,
      "sha512": ""
    },
    "Humanizer/2.14.1": {
      "type": "package",
      "serviceable": true,
      "sha512": "sha512-/FUTD3cEceAAmJSCPN9+J+VhGwmL/C12jvwlyM1DFXShEMsBzvLzLqSrJ2rb+k/W2znKw7JyflZgZpyE+tI7lA==",
      "path": "humanizer/2.14.1",
      "hashPath": "humanizer.2.14.1.nupkg.sha512"
    },

I think the thing to key off of here is pruning packages that have a type runtimepack -- does this sound accurate at @WesHaze .

Are you seeing this only for self-contained builds (e.g. dotnet publish --self-contained ...)? If not, can you describe how your application is being bundled?

[WesHaze]

Yes that looks good to me, I just did a superficial check. Very nice work Alex.

I am publishing self contained for win-x64.
Its worth nothing that the list could vary depending on the OS as library writers themselves are responsible for controlling what dlls are included and you dont need to specify the platform when publishing.
This suggests that there should maybe an argument for OS selection, if you want to go down that route.

Thanks for your time, Alex.

@wagoodman

[WesHaze]

This is solvet in dotnet 10.

https://learn.microsoft.com/en-us/dotnet/core/compatibility/sdk/10.0/deps-json-trimmed-packages
@wagoodman Would you like to close the issue? (Pre existing versions exist but dotnet 10 can also build those now so I don't think it adds any value personally)

Btw i was watching a video by docker on dive some time ago and recognized the name. Awesome stuff man.