dotnet list package --vulnerable, --deprecated, --outdated does not work for transitive-only positives

[watfordgnf]

Details about Problem

It appears that vulnerable package listing does not work, even if it shows up on the NuGet website. I used the example found in https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packages-for-security-vulnerabilities/ and could not recreate the experience.

NuGet product used (NuGet.exe | Visual Studio | MSBuild.exe | dotnet.exe): dotnet.exe

Product version:

PS E:\scratch\ConsoleApp1\> dotnet --info
.NET SDK (reflecting any global.json):
 Version:   5.0.202
 Commit:    db7cc87d51

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\5.0.202\

Host (useful for support):
  Version: 5.0.5
  Commit:  2f740adc14
...

Worked before? If so, with which NuGet version: Not sure.

Repro steps and/or sample project

Add Microsoft.OData.Services.Client 5.2.0 (as seen in the Microsoft example), which has known vulnerabilities in a dependent package (Microsoft.Data.OData) listed on the NuGet.org homepage:

PS E:\scratch\ConsoleApp1> dotnet list package --include-transitive
Project 'ConsoleApp1' has the following package references
   [net472]:
   Top-level Package                     Requested   Resolved
   > Microsoft.Data.Services.Client      5.2.0       5.2.0

   Transitive Package          Resolved
   > Microsoft.Data.Edm        5.2.0
   > Microsoft.Data.OData      5.2.0
   > System.Spatial            5.2.0

PS E:\scratch\ConsoleApp1> dotnet list package --vulnerable

The following sources were used:
   https://api.nuget.org/v3/index.json
   C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

The given project `ConsoleApp1` has no vulnerable packages given the current sources.
PS E:\scratch\ConsoleApp1> dotnet list package --vulnerable --include-transitive

The following sources were used:
   https://api.nuget.org/v3/index.json
   C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

The given project `ConsoleApp1` has no vulnerable packages given the current sources.

[watfordgnf]

Related: see dotnet/runtime#49377 and dotnet/runtime#50914

[JonDouglas]

Microsoft.Data.OData is a transitive package in this scenario & currently will not be reported as vulnerable in the current v1 experience. This is something we are working on adding in a future iteration once we support transitive packages throughout more tools:

https://github.com/NuGet/Home/blob/dev/proposed/2020/Transitive-Dependencies.md

If it is promoted to a top-level package, it will be reported.

/cc @drewgillies

[watfordgnf]

That's a bit confusing given the examples listed:

[JonDouglas]

Sorry that is confusing. I'll defer to @drewgillies on the behavior of "transitive" packages that support old TFMs like net40 & sl4. Ideally it should work similar to the behavior as .NET Core packages (the screenshots shown w/ UmbracoForms).

[drewgillies]

@watfordgnf I'm able to reproduce this bug. I'm investigating now to see whether there is a workaround (and what indeed is broken).

[drewgillies]

@watfordgnf @JonDouglas this is definitely a bug, a long standing one which has historically also affected the --deprecated and --outdated reports when only transitive dependencies are "positives". Thank you for making us aware of it, @watfordgnf, and you can track the fix by following the above PR. You'll note that there's also now test coverage for these cases. Regrettably there is no workaround.

[watfordgnf]

Thank you for figuring this out!

[aortiz-msft]

Hi @drewgillies - The issue still reproduces after the fix. Would you please take a look?

[aortiz-msft]

Hi @drewgillies - We are trying to understand if there's any work left here.

[nkolev92]

@v-luzh

Can you please check if this issue reproes with the latest 6.0.1xx SDK?

We expect that it is fixed.

[v-luzh]

@nkolev92 It is fixed on Main\31907.30 with the .NET SDK 6.0.100 for listing the transitive vulnerable package as below.

dotnet list package --deprecated --include-transitive and dotnet list package --outdated --include-transitive can show the deprecated/outdated transitive packages correctly, too.