Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive when a *.deps.json file contains a dependency to a vulnerable package #93

Closed
CorneliaS opened this issue Jan 29, 2024 · 7 comments
Closed

False positive when a *.deps.json file contains a dependency to a vulnerable package #93

CorneliaS opened this issue Jan 29, 2024 · 7 comments
Assignees
@cdupuis

Comments

@CorneliaS
Copy link

CorneliaS commented Jan 29, 2024
edited

Publishing a C# project as "self-contained" adds numerous dependencies in the *.deps.json file with versions that do not always represent the version in use.

For example, a C# Asp.Net project (.net 6.0) with the dependency to "System.Net.Http" version 4.3.4 creates a deps.json file where the reference is to the System.Private.Uri.dll of version "6.0.0.0", but refers to version 4.3.0 for "runtime.any.System.Runtime/4.3.0" (and others).

If you include the deps.json file in a Docker image and check that image for vulnerabilities, Docker Scout (version 1.3) detects 3 vulnerabilities for System.Private.Uri.dll version 4.3.0.
Apart from the mention in the *.deps.json file, the version would never be used. (The version of System.Private.Uri included in the release folder is version "6.0.0.0")

Please correct me if I am wrong: I think the result is a false positive.

Docker Scout version 1.2.2 and "dotnet list xxx.sln package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.json" have not detected any vulnerability here.

Attached you finde an example of the deps.json file: WebApplication1.deps.json

Update: Steps to reproduce

Create an image with the WebApplication1.deps.json file:
Dockerfile:

FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base
COPY WebApplication1.deps.json .

Image creation:
docker build -t testimage:latest -f .\Dockerfile .
Run docker scout cli for that image returns the System.Private.Uri.dll vulnerabilities
@cdupuis cdupuis self-assigned this Jan 29, 2024
@Astral100
Copy link

I have a similar issue. Have there been any kind of update or resolution since then?

@cdupuis
Copy link
Collaborator

cdupuis commented Mar 23, 2024

Sorry for the silence on this issue. We are aware and will address this with the next release of the CLI.

@cdupuis
Copy link
Collaborator

cdupuis commented Apr 17, 2024

The lastest CLI should fix this issue.

@cdupuis cdupuis closed this as completed Apr 17, 2024
@CorneliaS
Copy link
Author

I can still reproduce this behavior with docker/scout-cli:latest (version 1.7.1). I've added an update with the steps to reproduce in the first post.

@cdupuis cdupuis reopened this Apr 23, 2024
@cdupuis
Copy link
Collaborator

cdupuis commented Apr 23, 2024

Oh, I was ahead of time. This is going to get released with the next version.

@CorneliaS
Copy link
Author

Great! Thank you :)

@cdupuis
Copy link
Collaborator

cdupuis commented Jun 4, 2024

The fix was released.

@cdupuis cdupuis closed this as completed Jun 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cdupuis cdupuis

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cdupuis @CorneliaS @Astral100