Behavior of transitive framework dependencies #17372
Description
Description
We currently using SDK 5.0.202 and SDK 3.1.407 to restore, build and package our solution. There is now for example the transitive dependency System.Text.Encodings.Web which was vulnerable with CVE-2021-26701 and fixed and shipped in SDK 5.0.201 and SDK 3.1.407.
global.json:
{
"sdk": {
"version": "5.0.202",
"rollForward": "latestFeature",
"allowPrerelease": false
}
}Now, when we do a dotnet list <project> package --include-transitive --outdated --framework netcoreapp3.1 we get the following result:
The following sources were used:
https://pkgs.dev.azure.com/buhlergroup/_packaging/buhlergroup-external/nuget/v3/index.json
https://pkgs.dev.azure.com/buhlergroup/_packaging/buhlergroup-internal/nuget/v3/index.json
https://packages.devops.buhlergroup.com/nuget/iot-dev-nuget/
https://api.nuget.org/v3/index.json
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\
Project `Buhler.PocketNuke` has the following updates to its packages
[netcoreapp3.1]:
Top-level Package Requested Resolved Latest
> Microsoft.Graph.Beta 0.43.0-preview 0.43.0-preview 4.1.0-preview
Transitive Package Resolved Latest
> Azure.Core 1.8.1 1.13.0
> Colorful.Console 1.2.9 1.2.15
> Glob 1.1.5 1.1.8
> JetBrains.Annotations 2019.1.3 2021.1.0
> Microsoft.Bcl.AsyncInterfaces 1.0.0 5.0.0
> Microsoft.Bcl.HashCode 1.1.0 1.1.1
> Microsoft.Build 16.8.0 16.9.0
> Microsoft.Build.Framework 16.8.0 16.9.0
> Microsoft.Build.Tasks.Core 16.8.0 16.9.0
> Microsoft.Build.Utilities.Core 16.8.0 16.9.0
> Microsoft.IdentityModel.Clients.ActiveDirectory 5.2.4 5.2.9
> Microsoft.IdentityModel.Logging 1.1.2 6.11.0
> Microsoft.IdentityModel.Tokens 5.1.2 6.11.0
> Microsoft.NETCore.Platforms 3.1.0 5.0.2
> Microsoft.NETCore.Targets 1.1.3 5.0.0
> Microsoft.Rest.ClientRuntime 2.3.20 3.0.3
> Microsoft.Rest.ClientRuntime.Azure 3.3.18 4.0.3
> Microsoft.Win32.Registry 4.7.0 5.0.0
> Microsoft.Win32.SystemEvents 4.7.0 5.0.0
> NETStandard.Library 1.6.1 2.0.3
> Newtonsoft.Json 12.0.3 13.0.1
> Newtonsoft.Json.Bson 1.0.1 1.0.2
> NuGet.Common 5.3.1 5.9.1
> NuGet.Configuration 5.3.1 5.9.1
> NuGet.Frameworks 5.3.1 5.9.1
> NuGet.Packaging 5.3.1 5.9.1
> NuGet.Versioning 5.3.1 5.9.1
> Octokit 0.36.0 0.50.0
> Refit 5.0.23 6.0.38
> runtime.debian.8-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 4.3.3
> runtime.fedora.23-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 4.3.3
> runtime.fedora.24-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 4.3.3
> runtime.native.System 4.3.0 4.3.1
> runtime.native.System.IO.Compression 4.3.0 4.3.2
> runtime.native.System.Net.Http 4.3.0 4.3.1
> runtime.native.System.Security.Cryptography.Apple 4.3.0 4.3.1
> runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 4.3.3
> runtime.opensuse.13.2-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 4.3.3
> runtime.opensuse.42.1-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 4.3.3
> runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.Apple 4.3.0 4.3.1
> runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 4.3.3
> runtime.rhel.7-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 4.3.3
> runtime.ubuntu.14.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 4.3.3
> runtime.ubuntu.16.04-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 4.3.3
> runtime.ubuntu.16.10-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2 4.3.3
> SharpZipLib 1.1.0 1.3.1
> SonarAnalyzer.CSharp 8.20.0.28934 8.22.0.31243
> System.CodeDom 4.4.0 5.0.0
> System.Collections.Immutable 1.7.0 5.0.0
> System.ComponentModel.Annotations 4.4.1 5.0.0
> System.Configuration.ConfigurationManager 4.5.0 5.0.0
> System.Console 4.3.0 4.3.1
> System.Diagnostics.DiagnosticSource 4.7.1 5.0.1
> System.Drawing.Common 4.7.0 5.0.2
> System.Net.Primitives 4.3.0 4.3.1
> System.Reflection.Emit.ILGeneration 4.3.0 4.7.0
> System.Reflection.Emit.Lightweight 4.3.0 4.7.0
> System.Reflection.Metadata 1.6.0 5.0.0
> System.Reflection.TypeExtensions 4.3.0 4.7.0
> System.Resources.Extensions 4.6.0 5.0.0
> System.Runtime 4.3.0 4.3.1
> System.Runtime.CompilerServices.Unsafe 4.5.3 5.0.0
> System.Runtime.Extensions 4.3.0 4.3.1
> System.Security.AccessControl 4.7.0 5.0.0
> System.Security.Cryptography.Algorithms 4.3.0 4.3.1
> System.Security.Cryptography.Cng 4.7.0 5.0.0
> System.Security.Cryptography.OpenSsl 4.4.0 5.0.0
> System.Security.Cryptography.Pkcs 4.7.0 5.0.1
> System.Security.Cryptography.ProtectedData 4.5.0 5.0.0
> System.Security.Cryptography.X509Certificates 4.3.0 4.3.2
> System.Security.Cryptography.Xml 4.7.0 5.0.0
> System.Security.Permissions 4.7.0 5.0.0
> System.Security.Principal.Windows 4.7.0 5.0.0
> System.Text.Encoding.CodePages 4.0.1 5.0.0
> System.Text.Encodings.Web 5.0.0 5.0.1
> System.Text.Json 5.0.1 5.0.2
> System.Text.RegularExpressions 4.3.0 4.3.1
> System.Threading.Tasks.Dataflow 4.9.0 5.0.0
> System.Windows.Extensions 4.7.0 5.0.0
> System.Xml.ReaderWriter 4.3.0 4.3.1
> YamlDotNet 8.0.0 11.1.1
> System.Text.Encodings.Web 5.0.0 5.0.1
As you can see, the resolve version of System.Text.Encodings.Web is 5.0.0, which should be 5.0.1 as there is the fix in it.
Do we need explicitly specify them in csproj? Or how we can enforce that the latest version of transitive framework dependencies are used?