component-detection
component-detection copied to clipboard
microsoft
Incorrect and duplicate versions detected of a component in the same project file when using central package management (NuGet)
I'm using Central Package Management to manage my NuGet versions centrally, and also pin subdependencies to higher versions, for instance to mitigate vulnerable transitive dependencies.
I pinned System.IdentityModel.Tokens.Jwt because it had a vulnerability, which is used by Microsoft.IdentityModel.Protocols.OpenIdConnect, which is used by Microsoft.Data.SqlClient, which is used by Microsoft.EntityFrameworkCore.SqlServer which I directly reference.
<?xml version="1.0" encoding="utf-8"?>
<Project>
<!-- Central registry of all packages used in the project -->
<!-- See: https://devblogs.microsoft.com/nuget/introducing-central-package-management/ -->
<PropertyGroup>
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
</PropertyGroup>
<ItemGroup>
<PackageVersion Include="Microsoft.Data.SqlClient" Version="5.1.4" />
<PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.0" />
<PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.2.0" />
<PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="7.2.0" />
</ItemGroup>
</Project>
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net8.0</TargetFramework>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.Data.SqlClient" />
<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" />
</ItemGroup>
</Project>
I'm using the sbom-tool to generate my SBOM, and the scan manifest shows:
{
"locationsFoundAt": [
"/src/MyProject.Persistence/MyProject.Persistence.csproj"
],
"component": {
"name": "System.IdentityModel.Tokens.Jwt",
"version": "6.24.0",
"authors": null,
"type": "NuGet",
"id": "System.IdentityModel.Tokens.Jwt 6.24.0 - NuGet",
"packageUrl": {
"Scheme": "pkg",
"Type": "nuget",
"Namespace": null,
"Name": "System.IdentityModel.Tokens.Jwt",
"Version": "6.24.0",
"Qualifiers": null,
"Subpath": null
}
},
"detectorId": "NuGetProjectCentric",
"isDevelopmentDependency": null,
"dependencyScope": null,
"topLevelReferrers": [
{
"name": "Microsoft.Data.SqlClient",
"version": "5.1.4",
"authors": null,
"type": "NuGet",
"id": "Microsoft.Data.SqlClient 5.1.4 - NuGet",
"packageUrl": {
"Scheme": "pkg",
"Type": "nuget",
"Namespace": null,
"Name": "Microsoft.Data.SqlClient",
"Version": "5.1.4",
"Qualifiers": null,
"Subpath": null
}
},
{
"name": "Microsoft.EntityFrameworkCore.SqlServer",
"version": "8.0.0",
"authors": null,
"type": "NuGet",
"id": "Microsoft.EntityFrameworkCore.SqlServer 8.0.0 - NuGet",
"packageUrl": {
"Scheme": "pkg",
"Type": "nuget",
"Namespace": null,
"Name": "Microsoft.EntityFrameworkCore.SqlServer",
"Version": "8.0.0",
"Qualifiers": null,
"Subpath": null
}
}
],
"containerDetailIds": [],
"containerLayerIds": {}
},
Interestingly, in a different project in the same solution the dependency version is correctly detected, but the project mentioned above also shows up here:
{
"locationsFoundAt": [
"/src/MyProject.Web/MyProject.Web.csproj",
"/tests/MyProject.Tests.Integration/MyProject.Tests.Integration.csproj",
"/src/MyProject.Persistence/MyProject.Persistence.csproj"
],
"component": {
"name": "System.IdentityModel.Tokens.Jwt",
"version": "7.2.0",
"authors": null,
"type": "NuGet",
"id": "System.IdentityModel.Tokens.Jwt 7.2.0 - NuGet",
"packageUrl": {
"Scheme": "pkg",
"Type": "nuget",
"Namespace": null,
"Name": "System.IdentityModel.Tokens.Jwt",
"Version": "7.2.0",
"Qualifiers": null,
"Subpath": null
}
}
}
AB#2139506
We have the same issue. Does component gov not support central package management (NuGet)?
Hello @Sebazzz
I am not able to reproduce the issue. I tried your configuration using the latest version of component detection v4.2.1 and the right components are detected. I also tried running the latest version of the sbom-tool v2.2.3 and also the correct components were reported. These are the files that I used:
csproj
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net8.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer"/>
<PackageReference Include="Microsoft.Data.SqlClient" />
<PackageReference Include="Newtonsoft.Json" />
</ItemGroup>
</Project>
Directory.Packages.Props
<?xml version="1.0" encoding="utf-8"?>
<Project>
<!-- Central registry of all packages used in the project -->
<!-- See: https://devblogs.microsoft.com/nuget/introducing-central-package-management/ -->
<PropertyGroup>
<ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
<CentralPackageTransitivePinningEnabled>true</CentralPackageTransitivePinningEnabled>
</PropertyGroup>
<ItemGroup>
<PackageVersion Include="Microsoft.Data.SqlClient" Version="5.1.4" />
<PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="8.0.0" />
<PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.2.0" />
<PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="7.2.0" />
<PackageVersion Include="Newtonsoft.Json" Version="12.0.3" />
</ItemGroup>
</Project>
This is the manifest generated by sbom
