dotnet-docker icon indicating copy to clipboard operation
dotnet-docker copied to clipboard
verified publisher icon dotnet

Vulnerability doc should cover vulnerabilities of NuGet pkgs referenced by app

Open mthalman opened this issue 2 years ago • 2 comments

There's a gap in the scenarios covered by the Container Vulnerability Workflow doc. If the container image contains a .NET app where that app references NuGet packages which are vulnerable, it will likely be reported by a vulnerability scanner. But following the steps of the workflow document will lead them to the point of logging an issue at https://github.com/dotnet/dotnet-docker which is not what we want since the cause of the vulnerability is the application itself. The document needs to be updated to account for this scenario.

mthalman avatar May 25 '23 19:05 mthalman

An additional step in the workflow would be to verify that the latest version of the affected NuGet package is being referenced.

mthalman avatar May 31 '23 18:05 mthalman

[Triage] Moving to post-release since we have not received many issues about this type of vulnerability yet.

lbussell avatar Sep 23 '24 18:09 lbussell