Incorrect dependency version // min-Version vs. runtime-Version
See original GitHub issueI am having troubles with incorrectly resolved nuget package versions for transitive dependencies. Only the min-version of the dependency is used, not the “real” runtime version used.
Issue: min-version specified in nuget vs. runtime version used
Example:
<PackageReference Include="Azure.Storage.Blobs" Version="12.9.1" />
The component lists the dependencies (https://www.nuget.org/packages/Azure.Storage.Blobs/12.9.1)
cyclonedx-dotnet uses project.assest.json
to collect all nuget dependencies. In the file the following entry can be found:
"Azure.Storage.Blobs/12.9.1": {
"type": "package",
"dependencies": {
"Azure.Storage.Common": "12.8.0",
"System.Text.Json": "4.6.0"
},
"compile": {
"lib/netstandard2.0/Azure.Storage.Blobs.dll": {}
},
"runtime": {
"lib/netstandard2.0/Azure.Storage.Blobs.dll": {}
}
},
But in fact the transitive dependency System.Text.Json is never used in the specific version, but the “real” version of the specific runtime is used. In my case 5.0.2 as show in the screenshot of the specific assembly:
My issue is, that the min version dependency System.Text.Json 4.6.0 is used in the bom.xml of cyclonedx-dotnet, which leads to a security vulnerability message in my CI pipeline, but in fact the version is never used, because the runtime version 5.0.2 is active.
<component type="library">
<publisher>Microsoft</publisher>
<name>System.Text.Json</name>
<version>4.6.0</version>
<description>Provides high-performance and low-allocating types that serialize objects to JavaScript Object Notation (JSON) text and deserialize JSON text to objects, with UTF-8 support built-in. Also provides types to read and write JSON text encoded as UTF-8, and to create an in-memory document object model (DOM), that is read-only, for random access of the JSON elements within a structured view of the data.
Commonly Used Types:
System.Text.Json.JsonSerializer
System.Text.Json.JsonDocument
System.Text.Json.JsonElement
System.Text.Json.Utf8JsonWriter
System.Text.Json.Utf8JsonReader
When using NuGet 3.x this package requires at least version 3.4.</description>
<scope>required</scope>
<hashes>
<hash alg="SHA-512">14882E14C01813FCB211A49C27516268F38DC356203895F0A415DFA1AECC02098DB9FD777C19D42B444BCA36AC0F096A4322DF1225F818ABEAB8D121D49C7750</hash>
</hashes>
<licenses>
<license>
<url>https://github.com/dotnet/corefx/blob/master/LICENSE.TXT</url>
</license>
</licenses>
<copyright>© Microsoft Corporation. All rights reserved.</copyright>
<purl>pkg:nuget/System.Text.Json@4.6.0</purl>
<externalReferences>
<reference type="website">
<url>https://github.com/dotnet/corefx</url>
</reference>
</externalReferences>
</component>
Question is how to deal with this issue, problem is that the information created by cyclonedx-dotnet is not 100% useful for the transitive dependencies because it lists “wrong” versions which result in false-positive alerts when versions are processed (security checks, …)
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (4 by maintainers)
yep - it is:
@coderpatros Hey, did you get any feedback ? As far as I’m understanding the nuget resolving mechanics (although still many things suprise me) the exact version of a system library (which is included in framework sdk) can be only determined at runtime because it depends on which runtime version (with what patches) you have installed locally.
But I’m interested if you have any more insight into it ? Could you maybe put the reference to docs regarding “All the documentation reads that project.assets.json, and especially packages.lock.json, should be a reliable source of truth for resolved dependencies.” ?