sbom-tool icon indicating copy to clipboard operation
sbom-tool copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Address CG issue in Microsoft.IO.Redist

Open DaveTryon opened this issue 1 year ago • 1 comments

CVE-2024-38081 impacts .NET Framework and .NET version 6.X. .NET 8 is not impacted. This was a manually-generated change, scoped to just the .NET Framework build, because the tooling can't automatically keep the file for .NET Framework and exclude it for .NET 8.

If future versions of Microsoft.Build.Utilities.Core and Microsoft.Build eventually include the new version dependency, then we should be able to revert this change.

Redacted output of dotnet nuget why before this change--the key point is Microsoft.IO.Redist v6.0.0:

>dotnet nuget why Microsoft.Sbom.sln Microsoft.IO.Redist
Project 'Microsoft.Sbom.Targets' has the following dependency graph(s) for 'Microsoft.IO.Redist':
  [net472]
   │
   └─ Microsoft.Build.Utilities.Core (v17.11.4)
      └─ Microsoft.IO.Redist (v6.0.0)

Project 'Microsoft.Sbom.Targets.Tests' has the following dependency graph(s) for 'Microsoft.IO.Redist':
  [net472]
   │
   └─ Microsoft.Build.Utilities.Core (v17.11.4)
      └─ Microsoft.IO.Redist (v6.0.0)

Project 'Microsoft.Sbom.Targets.E2E.Tests' has the following dependency graph(s) for 'Microsoft.IO.Redist':
  [net472]
   │
   ├─ Microsoft.Build (v17.3.2)
   │  └─ Microsoft.IO.Redist (v6.0.0)
   └─ Microsoft.Build.Utilities.Core (v17.11.4)
      └─ Microsoft.IO.Redist (v6.0.0)

Redacted output of dotnet nuget why after this change--the key point is Microsoft.IO.Redist v6.0.1:

>dotnet nuget why Microsoft.Sbom.sln Microsoft.IO.Redist
Project 'Microsoft.Sbom.Targets' has the following dependency graph(s) for 'Microsoft.IO.Redist':
  [net472]
   │
   ├─ Microsoft.Build.Utilities.Core (v17.11.4)
   │  └─ Microsoft.IO.Redist (v6.0.1)
   └─ Microsoft.IO.Redist (v6.0.1)

Project 'Microsoft.Sbom.Targets.Tests' has the following dependency graph(s) for 'Microsoft.IO.Redist':
  [net472]
   │
   ├─ Microsoft.Build.Utilities.Core (v17.11.4)
   │  └─ Microsoft.IO.Redist (v6.0.1)
   └─ Microsoft.IO.Redist (v6.0.1)

Project 'Microsoft.Sbom.Targets.E2E.Tests' has the following dependency graph(s) for 'Microsoft.IO.Redist':
  [net472]
   │
   ├─ Microsoft.Build (v17.3.2)
   │  └─ Microsoft.IO.Redist (v6.0.1)
   ├─ Microsoft.Build.Utilities.Core (v17.11.4)
   │  └─ Microsoft.IO.Redist (v6.0.1)
   └─ Microsoft.IO.Redist (v6.0.1)

DaveTryon avatar Oct 21 '24 17:10 DaveTryon

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 70.13%. Comparing base (0cd21cd) to head (8ed00c8). Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #757   +/-   ##
=======================================
  Coverage   70.13%   70.13%           
=======================================
  Files         277      277           
  Lines        8651     8651           
  Branches     1006     1006           
=======================================
  Hits         6067     6067           
  Misses       2065     2065           
  Partials      519      519

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov-commenter avatar Oct 21 '24 18:10 codecov-commenter