DevAudit reports vulnerability on Nuget package for lower vulnerable version not in csproj file.

[bp4151]

This is interesting.

I set up a test DotNetCore project with a non-vulnerable version of Log4Net (20.0.12). When I run DevAudit against that csproj file, I get the following message in the console:

[2/45] log4net 2.0.9 1 known vulnerability, 0 affecting installed package version(s).

I also get the following in the output

"Package": {
"pm": "nuget",
"group": null,
"name": "log4net",
"version": "2.0.9",
"vendor": null
},
"Vulnerabilities": [{
"id": "c4ac70fa-d3ce-4153-b4e9-e1a9d193be8c",
"title": "[CVE-2018-1285] Apache log4net before 2.0.8 does not disable XML external entities when parsing ...",
"description": "Apache log4net before 2.0.8 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.",
"cvssScore": "9.8",
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe": null,
"reference": "https://ossindex.sonatype.org/vulnerability/c4ac70fa-d3ce-4153-b4e9-e1a9d193be8c?component-type=nuget&component-name=log4net&utm_source=devaudit&utm_medium=integration&utm_content=3.4"
}
]

It looks like it's reporting the lower version vulnerability even though the version in the project is not vulnerable. I included my csproj file and output.

sca_dotnet_test.zip

Running log4net 20.0.12 directly against the OssIndex API returns the expected result.
[
{
"coordinates": "pkg:nuget/log4net@20.0.12",
"description": "log4net is a tool to help the programmer output log statements to a variety of output targets. log4net is a port of the excellent log4j framework to the .NET runtime",
"reference": "https://ossindex.sonatype.org/component/pkg:nuget/log4net@20.0.12?utm_source=mozilla&utm_medium=integration&utm_content=5.0",
"vulnerabilities": []
}
]

[bp4151]

Non-issue. I didn't see --no-cache in the options list. Using that switch appears to handle the issue.