-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive when a *.deps.json file contains a dependency to a vulnerable package #93
Comments
I have a similar issue. Have there been any kind of update or resolution since then? |
Sorry for the silence on this issue. We are aware and will address this with the next release of the CLI. |
The lastest CLI should fix this issue. |
I can still reproduce this behavior with docker/scout-cli:latest (version 1.7.1). I've added an update with the steps to reproduce in the first post. |
Oh, I was ahead of time. This is going to get released with the next version. |
Great! Thank you :) |
The fix was released. |
Publishing a C# project as "self-contained" adds numerous dependencies in the *.deps.json file with versions that do not always represent the version in use.
For example, a C# Asp.Net project (.net 6.0) with the dependency to "System.Net.Http" version 4.3.4 creates a deps.json file where the reference is to the System.Private.Uri.dll of version "6.0.0.0", but refers to version 4.3.0 for "runtime.any.System.Runtime/4.3.0" (and others).
If you include the deps.json file in a Docker image and check that image for vulnerabilities, Docker Scout (version 1.3) detects 3 vulnerabilities for System.Private.Uri.dll version 4.3.0.
Apart from the mention in the *.deps.json file, the version would never be used. (The version of System.Private.Uri included in the release folder is version "6.0.0.0")
Please correct me if I am wrong: I think the result is a false positive.
Docker Scout version 1.2.2 and "dotnet list xxx.sln package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.json" have not detected any vulnerability here.
Attached you finde an example of the deps.json file: WebApplication1.deps.json
Update: Steps to reproduce
Create an image with the WebApplication1.deps.json file:
Dockerfile:
Image creation:
docker build -t testimage:latest -f .\Dockerfile .
Run docker scout cli for that image returns the System.Private.Uri.dll vulnerabilities
The text was updated successfully, but these errors were encountered: