sdk icon indicating copy to clipboard operation
sdk copied to clipboard
verified publisher icon dotnet

Provide information on the self-contained target versions

Open richlander opened this issue 7 months ago • 5 comments

I'm working on some servicing-related workflows, particularly answering the question "do I need to update my SDK". That's currently a difficult question to answer for self-contained apps since the SDK contains a set of very critical version numbers. It should be trivial to find out what those are via the CLI. We should also document them in release notes.

Let's assume there is a very critical runtime CVE. Clearly, everyone should update their runtimes and SDKs everywhere and then everything is solved. However, for users that deploy their apps as FDD, the primary concern is the prod environment. For folks deploying as self-contained, then the build machine not prod becomes critical.

I can easily imagine some users being quite serious about prod server compliance and taking a more pedestrian approach to build servers while not fully internalizing that they deploy some of their prod apps as self-contained. Doing the "right thing" for the prod environment might in some cases be providing a false sense of safety.

It should be possible to build an experience where we provide a greater set of alerts for people using old SDKs and publishing as self-contained or (more importantly) for users to self-diagnose that they have a problem to resolve.

richlander avatar May 29 '25 15:05 richlander

@marcpopMSFT @baronfel -- Can you link to the relevant file? I always forget what it is.

richlander avatar May 30 '25 02:05 richlander

Do you mean Microsoft.NETCoreSdk.BundledVersions.props in your SDK directory (or generatebundledversions in the repo)?

Theoretically, we'd want to compare the releases.json to what your target runtime pack version is taking into account your specific TFM and warn you if they are out of sync (but only if selfcontained is true). We had some discussion of that with #44421. CC @dsplaisted

marcpopMSFT avatar Jun 09 '25 19:06 marcpopMSFT

I did some design around the idea of a new type of "targeting pack" that would include the versions of the runtime packages that would be used. The idea was that this would let older SDKs target newer patches without updating the whole SDK, and it could also supply the necessary data for package pruning. But after discussing it we ended up not pursuing it because there didn't seem to be a whole lot of value in allowing older SDKs to update just these numbers, it makes more sense to update the whole SDK. Also, we didn't end up needing the data in this way for package pruning.

That's different than what you're asking for though. I think the information is available in places like the downloads page and releases.json. That doesn't mean there's a good end-to-end scenario for understanding when you need to update. Do you have ideas on what the experience should be like?

dsplaisted avatar Jun 09 '25 23:06 dsplaisted

I would like to see this information in dotnet --info or something similar.

I think the information is available in places like the downloads page and releases.json.

Show me where that is.

richlander avatar Jun 10 '25 01:06 richlander

Here's a good example of where we're not doing the right thing.

root@754731eacc25:/# dotnet --version
8.0.100
root@754731eacc25:/# dotnet new console -o app
root@754731eacc25:/# cd app
root@754731eacc25:/app# dotnet add package System.Text.Json --version 8.0.0 | grep vuln
info :   CACHE https://api.nuget.org/v3/vulnerabilities/index.json
info :   CACHE https://api.nuget.org/v3-vulnerabilities/2025.06.19.23.42.10/vulnerability.base.json
info :   CACHE https://api.nuget.org/v3-vulnerabilities/2025.06.19.23.42.10/2025.06.19.23.42.10/vulnerability.update.json
warn : NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-8g4q-xg66-9fp4
warn : NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
root@754731eacc25:/app# dotnet publish --sc
MSBuild version 17.8.3+195e7f5a3 for .NET
  Determining projects to restore...
/app/app.csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-8g4q-xg66-9fp4
/app/app.csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
  Restored /app/app.csproj (in 3.09 sec).
/app/app.csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-8g4q-xg66-9fp4
/app/app.csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
  app -> /app/bin/Release/net8.0/linux-x64/app.dll
  app -> /app/bin/Release/net8.0/linux-x64/publish/
root@754731eacc25:/app# find /app/bin/Release/net8.0/linux-x64/publish/ -name "libcoreclr.so"
/app/bin/Release/net8.0/linux-x64/publish/libcoreclr.so

There is no visibility on which runtime version was acquired (for the self-contained publish) and no mention of a vulnerability. At the same time, the System.Text.Json vulnerability is correctly identified. Resolve the STJ PackageRef and it's all good, right?

richlander avatar Jun 20 '25 18:06 richlander