scout-cli
scout-cli copied to clipboard
docker
False positive when a *.deps.json file contains a dependency to a vulnerable package
Publishing a C# project as "self-contained" adds numerous dependencies in the *.deps.json file with versions that do not always represent the version in use.
For example, a C# Asp.Net project (.net 6.0) with the dependency to "System.Net.Http" version 4.3.4 creates a deps.json file where the reference is to the System.Private.Uri.dll of version "6.0.0.0", but refers to version 4.3.0 for "runtime.any.System.Runtime/4.3.0" (and others).
If you include the deps.json file in a Docker image and check that image for vulnerabilities, Docker Scout (version 1.3) detects 3 vulnerabilities for System.Private.Uri.dll version 4.3.0. Apart from the mention in the *.deps.json file, the version would never be used. (The version of System.Private.Uri included in the release folder is version "6.0.0.0")
Please correct me if I am wrong: I think the result is a false positive.
Docker Scout version 1.2.2 and "dotnet list xxx.sln package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.json" have not detected any vulnerability here.
Attached you finde an example of the deps.json file: WebApplication1.deps.json
Update: Steps to reproduce
Create an image with the WebApplication1.deps.json file: Dockerfile:
FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base COPY WebApplication1.deps.json .
Image creation:
docker build -t testimage:latest -f .\Dockerfile .
Run docker scout cli for that image returns the System.Private.Uri.dll vulnerabilities
I have a similar issue. Have there been any kind of update or resolution since then?
Sorry for the silence on this issue. We are aware and will address this with the next release of the CLI.
I can still reproduce this behavior with docker/scout-cli:latest (version 1.7.1). I've added an update with the steps to reproduce in the first post.
Oh, I was ahead of time. This is going to get released with the next version.