SDK commands like restore build and list incorrectly warn about vulnerable NuGet packages hoisted by the shared runtime #43063
Description
Describe the bug
If you add a PackageReference to a project pointing to a vulnerable package version, dotnet commands like dotnet build and dotnet list package --vulnerable --include-transitive will report inaccurate vulnerability warnings for packages that are hoisted to a newer, non-vulnerable version by the shared runtime.
In my repro project at https://github.com/halter73/NuGetVulnerabilityFalsePositive, I demonstrate this with a direct PackageReference to System.Text.Json 8.0.3, but the problem persists for transitive references which is harder to work around.
In the case of transitive dependencies, you cannot avoid the issue by simply removing the PackageReference. Instead, developers are forced to directly reference the packages that are falsely reported as vulnerable to get rid of warnings. This is demonstrated by dotnet/aspnetcore#57560 which tries to update the ASP.NET Core project templates so they do not produce NuGet vulnerability warnings. We would rather not be forced to reference packages that are part of the shared runtime.
To Reproduce
- Clone the https://github.com/halter73/NuGetVulnerabilityFalsePositive repo
- Run
dotnet build
Exceptions (if any)
PS C:\dev\temp\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive> dotnet run
C:\dev\temp\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive.csproj : wa
rning NU1903: Package 'System.Text.Json' 8.0.3 has a known high severity vulnerability, https://github.com/advisories/G
HSA-hh2w-p6rv-4g7w
C:\dev\temp\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive\NuGetVulnerabilityFalsePositive.csproj : wa
rning NU1903: Package 'System.Text.Json' 8.0.3 has a known high severity vulnerability, https://github.com/advisories/G
HSA-hh2w-p6rv-4g7w
{"systemTextJsonPath":"C:\\Program Files\\dotnet\\shared\\Microsoft.NETCore.App\\8.0.8\\System.Text.Json.dll"}
Further technical details
- Include the output of
dotnet --info
PS C:\dev\temp\NuGetVulnerabilityFalsePositive> dotnet --info
.NET SDK:
Version: 8.0.401
Commit: 811edcc344
Workload version: 8.0.400-manifests.dd15fcf9
MSBuild version: 17.11.4+37eb419ad
Runtime Environment:
OS Name: Windows
OS Version: 10.0.22631
OS Platform: Windows
RID: win-x64
Base Path: C:\Program Files\dotnet\sdk\8.0.401\
.NET workloads installed:
Configured to use loose manifests when installing new manifests.
[wasm-tools]
Installation Source: VS 17.12.35214.114
Manifest Version: 8.0.8/8.0.100
Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.workload.mono.toolchain.current\8.0.8\WorkloadManifest.json
Install Type: FileBased
[aspire]
Installation Source: VS 17.12.35227.331
Manifest Version: 8.1.0/8.0.100
Manifest Path: C:\Program Files\dotnet\sdk-manifests\8.0.100\microsoft.net.sdk.aspire\8.1.0\WorkloadManifest.json
Install Type: FileBased
Host:
Version: 9.0.0-preview.7.24405.7
Architecture: x64
Commit: static
.NET SDKs installed:
8.0.401 [C:\Program Files\dotnet\sdk]
.NET runtimes installed:
Microsoft.AspNetCore.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 8.0.8 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Other architectures found:
x86 [C:\Program Files (x86)\dotnet]
registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]
Environment variables:
Not set
global.json file:
C:\dev\temp\NuGetVulnerabilityFalsePositive\global.json
- The IDE (VS / VS Code/ VS4Mac) you're running on, and its version
17.12.0 Preview 2.0 [35227.331.main]
