nuke-build
Consider upgrading vulnerable `Microsoft.Build.Tasks.Core` dependency
Usage Information
Nuke 9.0.4 / .NET SDK 9.0.300 / .NET 9
Description
The last Nuke release (9.0.4) depends on Microsoft.Build.Tasks.Core 17.12.6:
https://github.com/nuke-build/nuke/blob/da2ea1fecf4896fbd68f3c1884ea704e64b0412f/Directory.Packages.props#L67
A security advisory has recently been published about this version: https://github.com/advisories/GHSA-h4j7-5rxr-p4wc
This results in NuGet audit warnings or errors for projects using Nuke, e.g.
NU1901: Warning As Error: Package 'Microsoft.Build.Tasks.Core' 17.12.6 has a known low severity vulnerability, https://github.com/advisories/GHSA-h4j7-5rxr-p4wc
Consider upgrading the vulnerable dependency, so that upcoming Nuke versions don't require workarounds for NuGet security audits.
Reproduction Steps
Create a .NET project and add a package reference to Nuke.Common version 9.0.4.
Configure the project to run NuGet security vulnerability audits on all (direct + transitive) dependencies, and all severity levels, by adding the following to the .csproj:
<NugetAudit>true</NugetAudit>
<NugetAuditMode>all</NugetAuditMode>
<NugetAuditLevel>low</NugetAuditLevel>
Build the project and observe any NuGet audit warnings.
Expected Behavior
No NuGet audit warnings or errors are introduced.
Actual Behavior
NuGet audit warnings or errors are present, e.g.:
warning NU1901: Package 'Microsoft.Build.Tasks.Core' 17.12.6 has a known low severity vulnerability, https://github.com/advisories/GHSA-h4j7-5rxr-p4wc
The vulnerable dependency is introduced via Nuke.ProjectModel:
> dotnet nuget why Microsoft.Build.Tasks.Core
Project 'ReproBuild' has the following dependency graph(s) for 'Microsoft.Build.Tasks.Core':
[net9.0]
│
└─ Nuke.Common (v9.0.4)
├─ Nuke.Build (v9.0.4)
│ └─ Nuke.ProjectModel (v9.0.4)
│ └─ Microsoft.Build.Tasks.Core (v17.12.6)
└─ Nuke.ProjectModel (v9.0.4)
└─ Microsoft.Build.Tasks.Core (v17.12.6)
Regression?
No response
Known Workarounds
No response
Could you help with a pull-request?
Yes
