False positive - 'Vulnerable package' is not the package version resolved

[phil000]

Description of the false positive

We are using .NET and C# and Github Advanced Security through Azure Devops.

We have various package references to things that in-turn reference 'System.Text.Encodings.Web'.

So we have a number of possible references to 'System.Text.Encodings.Web' but ultimately that is resolved to 6.0.0

We do not directly reference 'System.Text.Encodings.Web' at all.

e.g. Our transitive references to 'System.Text.Encodings.Web':

1. "Microsoft.ApplicationInsights.AspNetCore" --> "System.Text.Encodings.Web": "4.7.2"
2. "Azure.Core" --> "System.Text.Encodings.Web": "6.0.0"
3. "Microsoft.AspNetCore.Http.Abstractions" --> "System.Text.Encodings.Web": "4.5.0"  (vulnerable)
4. "Microsoft.AspNetCore.WebUtilities" --> "System.Text.Encodings.Web": "4.5.0"  (vulnerable)
5. "Microsoft.Data.SqlClient" --> "System.Text.Encodings.Web": "6.0.0"

e.g. The ultimate 'resolved' reference:

"System.Text.Encodings.Web": {
        "type": "Transitive",
        "resolved": "6.0.0",
        "contentHash": "Vg8eB5Tawm1IFqj4TVK1czJX89rhFxJo9ELqc/Eiq0eXy13RK00eubyU6TJE6y+GQXjyV5gSfiewDUZjQgSE0w==",
        "dependencies": {
          "System.Runtime.CompilerServices.Unsafe": "6.0.0"
        }
      },

There are various references to the package but the ultimate resolved reference is to v 6.0.0 which is not vulnerable.

Code samples or links to source code

N/A

URL to the alert on GitHub code scanning (optional)

[hvitved]

Hi

Could you please clarify which CodeQL query gives rise to this alert? It sounds to me more like this is perhaps a Dependabot alert?

[phil000]

Yes, this isn't a code scanning issue, it is a dependency scanning issue.

I will close this and look for where else this can be reported.