osv-scanner
osv-scanner copied to clipboard
Published
20 hours ago •
google
google
osv-scanner not detecting NuGet vulnerable dependencies in some dependency resolution cases in .NET
.NET allows several ways to define dependencies of projects, ones are centralized and other are defined in each project. The problem it's that actually osv-scanner only detects vulnerabilities in the file packages.lock.json, but it should actually scan the following files (as stated in #51 ):
- packages.config
- packagereference nodes in
- *.*proj
- *.props files
Here I attach some test I have been doing running osv-scanner and dotnet list package --vulnerable.
Dependency with vulnerability declared in packages.json (NET Framework, here the dotnet CLI cannot be used since it is NET Framework):
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="LiteDB" version="0.5.0" targetFramework="net48" />
</packages>
Dependency with vulnerability declared in .csproj file of the project:
File TestApp.csproj:
<Project Sdk="Microsoft.NET.Sdk">
{...}
<ItemGroup>
<PackageReference Include="LiteDB" Version="5.0.12" />
</ItemGroup>
</Project>
Dependency with vulnerable version centralized in Directory.build.props and referenced in .csproj file:
.csproj file:
<Project Sdk="Microsoft.NET.Sdk">
{...}
<ItemGroup>
<PackageReference Update="LiteDB" />
</ItemGroup>
</Project>
Directory.Packages.props file:
<Project>
<ItemGroup>
<PackageReference Include="LiteDB" Version="5.0.12"/>
</ItemGroup>
</Project>
Last example also happens with a Directory.Build.props with the same content as Directory.Packages.props file.
