sbom-tool icon indicating copy to clipboard operation
sbom-tool copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Address CG issue in Microsoft.IO.Redist

Open DaveTryon opened this issue 1 year ago • 1 comments

CVE-2024-38081 impacts .NET Framework and .NET version 6.X. .NET 8 is not impacted. This was a manually-generated change, scoped to just the .NET Framework build, because the tooling can't automatically keep the file for .NET Framework and exclude it for .NET 8.

If future versions of Microsoft.Build.Utilities.Core and Microsoft.Build eventually include the new version dependency, then we should be able to revert this change.

Redacted output of dotnet nuget why before this change--the key point is Microsoft.IO.Redist v6.0.0:

>dotnet nuget why Microsoft.Sbom.sln Microsoft.IO.Redist
Project 'Microsoft.Sbom.Targets' has the following dependency graph(s) for 'Microsoft.IO.Redist':
  [net472]
   │
   └─ Microsoft.Build.Utilities.Core (v17.11.4)
      └─ Microsoft.IO.Redist (v6.0.0)

Project 'Microsoft.Sbom.Targets.Tests' has the following dependency graph(s) for 'Microsoft.IO.Redist':
  [net472]
   │
   └─ Microsoft.Build.Utilities.Core (v17.11.4)
      └─ Microsoft.IO.Redist (v6.0.0)

Project 'Microsoft.Sbom.Targets.E2E.Tests' has the following dependency graph(s) for 'Microsoft.IO.Redist':
  [net472]
   │
   ├─ Microsoft.Build (v17.3.2)
   │  └─ Microsoft.IO.Redist (v6.0.0)
   └─ Microsoft.Build.Utilities.Core (v17.11.4)
      └─ Microsoft.IO.Redist (v6.0.0)

Redacted output of dotnet nuget why after this change--the key point is Microsoft.IO.Redist v6.0.1:

>dotnet nuget why Microsoft.Sbom.sln Microsoft.IO.Redist
Project 'Microsoft.Sbom.Targets' has the following dependency graph(s) for 'Microsoft.IO.Redist':
  [net472]
   │
   ├─ Microsoft.Build.Utilities.Core (v17.11.4)
   │  └─ Microsoft.IO.Redist (v6.0.1)
   └─ Microsoft.IO.Redist (v6.0.1)

Project 'Microsoft.Sbom.Targets.Tests' has the following dependency graph(s) for 'Microsoft.IO.Redist':
  [net472]
   │
   ├─ Microsoft.Build.Utilities.Core (v17.11.4)
   │  └─ Microsoft.IO.Redist (v6.0.1)
   └─ Microsoft.IO.Redist (v6.0.1)

Project 'Microsoft.Sbom.Targets.E2E.Tests' has the following dependency graph(s) for 'Microsoft.IO.Redist':
  [net472]
   │
   ├─ Microsoft.Build (v17.3.2)
   │  └─ Microsoft.IO.Redist (v6.0.1)
   ├─ Microsoft.Build.Utilities.Core (v17.11.4)
   │  └─ Microsoft.IO.Redist (v6.0.1)
   └─ Microsoft.IO.Redist (v6.0.1)

DaveTryon avatar Oct 21 '24 17:10 DaveTryon