Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Security warning/errors when restoring on net9preview #18019

Open
nickrandolph opened this issue Aug 26, 2024 · 6 comments
Open

[Bug] Security warning/errors when restoring on net9preview #18019

nickrandolph opened this issue Aug 26, 2024 · 6 comments
Labels
blocked/dependency Categorizes an issue as blocked due to another issue kind/bug Something isn't working

Comments

@nickrandolph
Copy link
Contributor

Current behavior

Create new application using any of the template options
Update global.json to allow prerelease versions
Run dotnet restore

C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-5f2m-466j-3848
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1902: Package 'System.Private.Uri' 4.3.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-x5qj-9vmx-7g6g
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-xhfc-gr8f-ffwc
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w

Expected behavior

No security warnings/errors

How to reproduce it (as minimally and precisely as possible)

No response

Workaround

No response

Works on UWP/WinUI

None

Environment

No response

NuGet package version(s)

No response

Affected platforms

No response

IDE

No response

IDE version

No response

Relevant plugins

No response

Anything else we need to know?

No response
@nickrandolph nickrandolph added kind/bug Something isn't working triage/untriaged Indicates an issue requires triaging or verification difficulty/tbd Categorizes an issue for which the difficulty level needs to be defined. labels Aug 26, 2024
@Youssef1313
Copy link
Member

These are false positives from NuGet. NuGet/Home#13622

@MartinZikmund MartinZikmund added blocked/dependency Categorizes an issue as blocked due to another issue and removed triage/untriaged Indicates an issue requires triaging or verification difficulty/tbd Categorizes an issue for which the difficulty level needs to be defined. labels Aug 26, 2024
@Youssef1313
Copy link
Member

The possible options:

  1. <NuGetAuditMode>direct</NuGetAuditMode>: If we go this way, it should be only during .NET 9 previews. Once stable, we shouldn't do this. I mean, it could just be a temporary easy workaround until we see if NuGet will fix things up on their side.
  2. NuGetAuditSuppress MSBuild item: we could do this to specify specific advisories where we are sure it's a false positive.
  3. Add direct PackageReference with non-vulnerable versions to silence NuGet warnings.

@Youssef1313
Copy link
Member

The NuGet issue will not be fixed in .NET 9 stable

@cremor cremor mentioned this issue Sep 2, 2024
Closed
@Youssef1313
Copy link
Member

@jeromelaban Do you have a preference on what we should do here?

@jeromelaban
Copy link
Member

There's no good way for fixing this. All modes are causing trouble. We'll need to fix this in multiple locations, or workaround in multiple locations and this is going to either be a security risk, or very verbose change to the default templates.

@MrYossu
Copy link

MrYossu commented Nov 13, 2024

.NET9 now in general release and this error swamps the output. I'm getting this...

warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability

What should we do about it? The description for that package on Nuget explicitly says not to reference it directly.

Please advise what we are supposed to do. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked/dependency Categorizes an issue as blocked due to another issue kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@MartinZikmund @nickrandolph @jeromelaban @MrYossu @Youssef1313