Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dotnet list packages should not report false positives for assemblies in shared directory #13405

Open
richlander opened this issue Apr 23, 2024 · 6 comments
Open

dotnet list packages should not report false positives for assemblies in shared directory #13405

richlander opened this issue Apr 23, 2024 · 6 comments
Labels
Area:NuGetAudit Priority:2 Issues for the current backlog. Type:DCR Design Change Request

Comments

@richlander
Copy link

A user reported false positives vulnerability findings of .NET product CVEs using dotnet list package --vulnerable --include-transitive.

dotnet/sdk#30659 (comment)

This behavior should be improved for .NET 8+ (8.0.1xx, 8.0.4xx, 9.0.1xx).
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

@richlander Issue is missing Type label, remember to add a Type label

@dotnet-policy-service dotnet-policy-service bot added the missing-required-type The required type label is missing. label Apr 23, 2024
@nkolev92
Copy link
Member

There's no assembly scanning, but rather package scanning here.
As long as a package is in the graph, NuGet will report vulnerabilities on it.

A way to minimize this is #7344, and it's something we're planning to explore, but the degree to which it'd help that scenario is going to be dependent on what packages brought it in.

@nkolev92 nkolev92 added Type:DCR Design Change Request Area:NuGetAudit and removed missing-required-type The required type label is missing. labels Apr 23, 2024
@richlander
Copy link
Author

@agocke -- you've been talking to vulnerability scanners. What is your guidance to them to avoid false positives like this?

@richlander
Copy link
Author

richlander commented Apr 23, 2024
edited
Loading

We need to come up with designs that work well for all vulnerability scanners. The .NET CLI should have the best implementation and it should be a good reference implementation for others. If the proposal does that, great.

@nkolev92
Copy link
Member

nkolev92 commented Apr 23, 2024
edited
Loading

I think if we eliminate things at the root (restore time), all other commands and components benefit. (restore pruning them means list package gets them, means they probably don't end up in deps.json).
The challenge is that we can only eliminate certain packages. Deny listing/pruning 1000s of package ids won't scale and it probably bleeds too much of the framework implementation into NuGet.

I haven't look at this particular example, to know if a more minimal approach would solve it.

@richlander
Copy link
Author

I think if we eliminate things at the root (restore time), all other commands and components benefit. (

That sounds good / makes sense.

We now have a fair bit of experience with false positives. This should give us a sense of how likely it is for users to run into this scenario and how many of our packages can contribute to this problem.

@jebriede jebriede added the Priority:2 Issues for the current backlog. label Apr 25, 2024
@dennis-garavsky dennis-garavsky mentioned this issue Jul 17, 2024
Closed
@halter73 halter73 mentioned this issue Aug 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area:NuGetAudit Priority:2 Issues for the current backlog. Type:DCR Design Change Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@richlander @nkolev92 @jebriede