Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Qualys scan showing vulnerabilities in SDK
See original GitHub issueRunning a Qualys vulnerability scan on a SDK installation yields several vulnerability results from NuGet package references. These are showing up in Qualys scans of the official .NET Docker images for the SDK (e.g. mcr.microsoft.com/dotnet/sdk:7.0) even though they have the latest SDK version installed.
CVE-2019-0820
References System.Text.RegularExpressions, version 4.3.0. Required version is 4.3.1.
Install location sources:
- sdk/7.0.103/package.deps.json
- sdk/7.0.103/vstest.console.deps.json
- sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json
- sdk/7.0.103/dotnet-watch.deps.json
- sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json
CVE-2022-34716
References System.Security.Cryptography.Xml, version 6.0.0. Required version is 6.0.1.
Install location sources:
- sdk/7.0.103/dotnet.deps.json
- sdk/7.0.103/MSBuild.deps.json
- sdk/7.0.103/FSharp/fsi.deps.json
- sdk/7.0.103/NuGet.CommandLine.XPlat.deps.json
- sdk/7.0.103/FSharp/fsc.deps.json
CVE-2021-24112
References System.Drawing.Common, version 4.7.0. Required version is 4.7.2.
Install location sources:
- sdk/7.0.103/Sdks/Microsoft.NET.ILLink.Tasks/tools/net7.0/ILLink.Tasks.deps.json
CVE-2018-8292
References System.Net.Http, version 4.3.0. Required version is 4.3.4.
Install location sources:
- sdk/7.0.103/DotnetTools/dotnet-format/dotnet-format.deps.json
- sdk/7.0.103/dotnet-watch.deps.json
- sdk/7.0.103/DotnetTools/dotnet-watch/7.0.103-servicing.23080.6/tools/net7.0/any/dotnet-watch.deps.json
These all seem to be NuGet package reference issues but not an issue of the SDK actually containing any vulnerable binaries. It’s not clear what causes things to be referencing these particular versions. It is important that these get addressed, however, since this nuance of “not actually containing vulnerable binaries” isn’t good enough. The Qualys scanner is still identifying these and reporting them which would cause concern by customers.
Issue Analytics
- State:
- Created 7 months ago
- Comments:13 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
find /usr/share/dotnet/sdk/7.0.103/*.jsonis not the correct way to usefind; that expands the glob in the shell already, sofindthen only echoes each argument. Instead usefind /usr/share/dotnet/sdk/7.0.103 -name "*.json", which also finds JSON files in subdirectories.Newtonsoft.Json was upgraded to 13.0.1 just to satisfy vulnerability scanners, according to https://github.com/dotnet/sdk/issues/31382#issuecomment-1504169049.
The same doesn’t seem to have been done to System.Drawing.Common. In .NET SDK 6.0.410 and .NET SDK 7.0.107, ILLink.Tasks.deps.json still references “System.Security.Permissions/4.7.0” → “System.Windows.Extensions/4.7.0” → “System.Drawing.Common/4.7.0”.
In .NET 8, https://github.com/dotnet/runtime/pull/82259 made System.Configuration.ConfigurationManager not depend on System.Security.Permissions. That change won’t remove the System.Drawing.Common reference from ILLink.Tasks.deps.json though, because there are indirect dependencies via Microsoft.Build.Framework and Microsoft.Build.Utilities.Core as well. I don’t know whether anything has been done to those.