Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft.Web.LibraryManager.Build starting to show security warnings #770

Open
leotsarev opened this issue Nov 14, 2024 · 4 comments
Open

Microsoft.Web.LibraryManager.Build starting to show security warnings #770

leotsarev opened this issue Nov 14, 2024 · 4 comments

Comments

@leotsarev
Copy link
Contributor

leotsarev commented Nov 14, 2024
edited
Loading

Describe the bug

Microsoft.Web.LibraryManager.Build starting to show security warnings

To Reproduce

  1. Include <PackageReference Include="Microsoft.Web.LibraryManager.Build" Version="2.1.175" PrivateAssets="All" /> into the project
  2. Build it using .NET SDK 9.0.100 or higher
  3. Get
(..) warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-5f2m-466j-3848
(..) warning NU1902: Package 'System.Private.Uri' 4.3.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-x5qj-9vmx-7g6g
(..) warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-xhfc-gr8f-ffwc

Expected behavior

No security warnings

Additional context

NOTE: This is not a actual vulnerability
This is known problem in Nuget when using netstandart2 projects. dotnet/sdk#42651
It could be worked around by moving to CPM and pin System.Private.Uri version, but users are discouraged to reference System.Private.Uri directly, and it's frustrating for users to get this warning from official Microsoft package

It's recommended than:

  • Version of nuget Microsoft.Web.LibraryManager.Cli provided that target modern .net (net9 or net8)
  • System.Private.Uri is pinned by Microsoft.Web.LibraryManager.Cli to a non-vulnerable version
@jimmylewis
Copy link
Contributor

I'm not reproducing this with a new web project:

dotnet new webapp
dotnet add package Microsoft.Web.LibraryManager.Build
dotnet build

and both libman packages (.Build and .Cli) should not bring transitive references to that package.

Can you include the output of dotnet nuget why x.csproj System.Private.Uri for your project?

@leotsarev leotsarev changed the title Microsoft.Web.LibraryManager.Cli starting to show security warnings Microsoft.Web.LibraryManager.Build starting to show security warnings Nov 15, 2024
@leotsarev
Copy link
Contributor Author

dotnet nuget why won't show System.Private.Uri due to NuGet/Home#13718

I confirm that it won't reproduce on typical web project, but it will reproduce on Blazor if you are using
<Project Sdk="Microsoft.NET.Sdk.BlazorWebAssembly">.

There is minimal reproduction https://github.com/leotsarev/ReproduceLibManTest

@mrunks
Copy link

mrunks commented Nov 19, 2024

I too am seeing these warnings after upgrading one of my Blazor WebAssembly projects to .NET 9. Is there a way to suppress this warning ?

@leotsarev
Copy link
Contributor Author

leotsarev commented Nov 20, 2024
edited
Loading

@mrunks

  1. reference System.Private.Uri directly (latest version) -- it won´t change anything in runtime behavior
  2. Add <NuGetAuditSuppress Include="https://github.com/advisories/GHSA-5f2m-466j-3848;https://github.com/advisories/GHSA-x5qj-9vmx-7g6g;https://github.com/advisories/GHSA-xhfc-gr8f-ffwc" /> to .csproj

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mrunks @leotsarev @jimmylewis