unoplatform
[Bug] Security warning/errors when restoring on net9preview
Current behavior
Create new application using any of the template options Update global.json to allow prerelease versions Run dotnet restore
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-5f2m-466j-3848
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1902: Package 'System.Private.Uri' 4.3.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-x5qj-9vmx-7g6g
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-xhfc-gr8f-ffwc
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w
Expected behavior
No security warnings/errors
How to reproduce it (as minimally and precisely as possible)
No response
Workaround
No response
Works on UWP/WinUI
None
Environment
No response
NuGet package version(s)
No response
Affected platforms
No response
IDE
No response
IDE version
No response
Relevant plugins
No response
Anything else we need to know?
No response
These are false positives from NuGet. https://github.com/NuGet/Home/issues/13622
The possible options:
-
<NuGetAuditMode>direct</NuGetAuditMode>: If we go this way, it should be only during .NET 9 previews. Once stable, we shouldn't do this. I mean, it could just be a temporary easy workaround until we see if NuGet will fix things up on their side. -
NuGetAuditSuppressMSBuild item: we could do this to specify specific advisories where we are sure it's a false positive. - Add direct PackageReference with non-vulnerable versions to silence NuGet warnings.
There's no good way for fixing this. All modes are causing trouble. We'll need to fix this in multiple locations, or workaround in multiple locations and this is going to either be a security risk, or very verbose change to the default templates.
.NET9 now in general release and this error swamps the output. I'm getting this...
warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability
What should we do about it? The description for that package on Nuget explicitly says not to reference it directly.
Please advise what we are supposed to do. Thanks.
Please advise what we are supposed to do. Thanks.
At this time, the only possible option is to explicitly install those packages in your app. We're working to determine which dependencies are pulling those references in order to avoid these errors in the templates.
@jeromelaban OK, thanks. Just seems wrong to install packages you aren't directly using, especially ones whose descriptions say they aren't meant for direct use, just to avoid spurious warnings.
Looking further into this issue, this is only happening on net8.0*, where Uno depends on the following packages:
-
System.Numerics.Vectors -
System.Runtime.InteropServices.WindowsRuntime -
System.Memory -
System.Collections.Immutable
Those dependencies have been removed in Uno for net9.0 where the warnings do not show up anymore. We will not be changing net8.0 dependencies to avoid introducing unnecessary breaking changes.
To fix this behavior, there are three possible paths:
- Update your projects to
net9.0 - Force an
8.0.xsdk version inglobal.json, and disable the version roll forward - Force an explicit reference to the offending packages to their non-vulnerable versions
Note that the new dotnet nuget why command does not help for some packages like System.Private.Uri because of https://github.com/NuGet/Home/issues/13718.
@jeromelaban Sorry to argue, but this is happening to me on a brand new .net9 solution (ie not upgraded from .net8) where there is a dependency on System.Private.Uri
@jeromelaban Not sure what you mean by settings, but I just realised why you mentioned Uno earlier. I came to this discussion from Google, and didn't spot that it's on the Uno repo. I had been reading so many on the dotnet repo and thought this was another!
I'm not using Uno, and so my comments here are probably irrelevant. As far as I can see, the problem is an underlying .NET/VS issue, so should be discussed in a repo more relevant.
Sorry for the confusion!
No problem, thanks for the update. You may want to start a discussion with the package owners that you use in your solution.
@jeromelaban I did made just the same (created a new uno app) like he told, after the new .net version came out and got greeted with issues... so when creating that one from scratch new, that issue should not happen? Because I did it with different settings and seems like its mainly the apps with server or mauiembedding choosen on my side. its the refit and the maui which seems to be pointing to the 9.0-rc instead of 9.0 full release. created with the wizard in vs 2022 community edition setup: blanc, xaml, mvux, Navigation, configuration, http, server, maui embedded, material, theme, dsp, debugging: default, auth: custom
hope I got all of the config and it will help you
@DevTKSS we're still updating the bits for net9 stable, it should be updated soon.
@jeromelaban thank you 👍 just wanted to make sure you know about them. I am not hurrying. Take the time you need for great things :)
@jhanvi03, @Darsh0307 if you can test this issue with latest stable please
