-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
error NU1903: Warning As Error: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-xhfc-gr8f-ffwc #42651
Comments
This is due to changes to NuGet: https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/ The package will be a transient dependency of something in your dependency graph. Using the .NET 9 preview 6 SDK you can use the new |
This does not work it just says Project '...' does not have a dependency on 'System.Private.Uri'. |
That's a different issue then if It will be a dependency of something in your dependency graph - trivy scan found it in various container images of mine prior to the NuGet updates, which I had to fix (e.g. martincostello/api@ff08bd2). You can try looking in the |
@aortiz-msft @JonDouglas for why |
Yes please. |
IMHO: The tooling for this needs work! Last night I upgraded VS Enterprise to 17.11.0 and VS Community Preview to 17.12.0 Preview 1.0 and hit this on the first Maui application I built. I ended up running dotnet restore against a number of my solutions to find it impacted most of my Maui applications. At first, I thought I needed to add a PackageReference to each application project to resolve it. In the end, the suggestion to search project.assets.json finally narrowed it down to one of my shared assembly's. What I didn't see was the error for the shared assembly that was the root cause of the problem. To me, there are two bugs: Thanks. |
@DanTravison - Thank you for the feedback! For the first issue, would you mind opening an issue at https://github.com/NuGet/Home/issues/new/choose with reproducible steps? We'd be happy to take a look! For the second issue, you can configure the SDK to treat all or certain warnings as errors: https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings. If you feel that the default for vulnerabilities should be error, let us know that too. cc @zivkan |
For the first issue, I created NuGet/Home#13708 For the second issue, I cannot get the build to fail for the vulnerability issue. I've tried WarningsAsErrors, with Warning Level 1, 7, and All Warnings and don't see the warning promoted to an error. Here's an example output I'm expecting to see promoted: As far as considering this an error, personally, I would prefer that so I don't have to change every project to enforce it. Is there any way to configure this system-wide instead of per-project? |
You could set I set |
My guess is that you're using nuget.exe to restore the project. I'm not sure that NuGet.exe supports WarningsAsErrors and TreatWarningsAsErrors. You should use However, if you are using |
I am building in Visual Studio (Ent) 17.11.0 and the above warning was from the VS Output window. Unfortunately, now I can't even get the warning to appear in the VS build output. I typically run dotnet restore when I change NuGet dependencies because I find restore is unreliable when run as part of the VS build. In fact, I don't even see a warning when I remove the workaround from the shared assembly, clean the solution, and rebuild the solution in VS. The build output shows dotnet restore being run for each project with no warnings and the build completes even though project.assets.json for the Maui application references "System.Private.Uri": "4.3.0" In comparison, if I clean the solution and run the command-line dotnet restore from the solution directory, I see three warnings for the application project both before and after building in VS. PS C:\git\travison\Maui.Core> dotnet restore |
I am also experiencing this.
And dotnet nuget why, reports the same as Aaron so Perusing through the .deps.json as suggested I find a few references to it:
Both of these occurrences, initially seem beyond my control as they're located in stuff I've never really touched before, but I may be mistaken. As it stands, this is a very confusing situation, however as I'm running on a RC, some jank is to be expected. |
Unfortunately there's a limitation in Like any other transitive vulnerability, you can make this package a direct reference and then upgrade it to a version that does not have a known vulnerability. CPM with transitive pinning can automate this, and that way the package will automatically disappear as a direct package reference when you upgrade other packages and the package is no longer a transitive dependency in the graph. For the specific case of the So, it's a good candicate to ignore with I don't know why the GitHub advisory lists the package as vulnerable given it doesn't have any content, but this is what we're working with. We're also working on a feature called Supplied By Platform, which will automatically trim packages from the graph when the target framework you're using already provides the assemblies in the package. I hope that System.Private.Uri will be one of those packages that the .NET libraries team will advertise as supplied by platform. But the feature isn't done yet, so will only help in a future version of the .NET SDK once it's implemeneted. |
@zivkan that means that specific warning about Note: That |
Can this issue then be tagged with milestone: 9.0.200 ? We rather not suppress it in csproj and solve the issues. |
That's not really "can't" - it's that you don't want to resolve it with explicit dependency upgrades. That is, it's not a hard blocker to any upgrade. If you really want to use .NET 9 now, I would recommend adding the transitive dependencies to your project and clearly mark them as a temporary workaround with a comment, then later when the need for them is resolved you can remove it. |
@pregress It looks like it's not even a transitive dependency, as the final binary used is an empty stub that redirects to the .NET 9 implementation. Not certain about that, I've read it in another thread. |
@ZeldaJC Can you reproduce on the command line? Using the csproj below, when I do <Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net6.0</TargetFramework>
<RuntimeIdentifiers>win-x64;linux-x64</RuntimeIdentifiers>
<NuGetAuditMode>all</NuGetAuditMode>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="System.Runtime" Version="4.3.1" />
</ItemGroup>
<ItemGroup Condition=" '$(suppress)' != 'false' ">
<NuGetAuditSuppress Include="https://github.com/advisories/GHSA-5f2m-466j-3848;https://github.com/advisories/GHSA-x5qj-9vmx-7g6g;https://github.com/advisories/GHSA-xhfc-gr8f-ffwc" />
</ItemGroup>
</Project> |
strange thing is that this is happening in docker only, since updating to .NET 9 ( building outside of docker, or in the IDE doesnt get this error
This dependency also does not exist in any of our |
I think this happens because of os= linux. You get the same error, installing the latest version of |
Yes, for now I just added the lastest System.Private.Uri as an unused project dependency, which fixes the issue, but as you say, developers should not have to care about what dependencies MsBuild is using |
It looks like sdk v9.0.101 fixed it. |
SDK 9.0.101 reverts |
The release notes don't say anything about that. https://github.com/dotnet/core/blob/main/release-notes/9.0/9.0.0/9.0.101.md |
Thanks for pointing out this gap. I've created a pull request, so I hope it gets updated soon: |
So what's the plan moving forward. Is this a permanent change of default. Or a temporary rollback until the issues are solved? |
We definitely want to make it default again, to make it as easy as possible for developers to stay secure. We're still coming up with a plan though. Any changes won't be before .NET 10, so if you want to keep getting notified about transitive packages with known vulnerabilities, I recommend you add |
In VS I created a new asp.net webapi application, chose .net sdk style container targetting linux. Now VS politely points out that this freshly created project has a vulnerability (System.Private.Uri) and |
@vRune4 we fixed dotnet nuget why, and it will show/search RID specific package graphs in 9.0.200: |
I forgot to mention that NuGet reverted the NuGetAuditMode default back to |
Yes, I noticed your comments further up. My point is that a freshly created asp.net project will run into this issue and it would be nice if we could audit transitive packages without triggering false positives before .net 10 ships (a year from now?). |
Someone on Reddit has investigated this. <RuntimeIdentifier>win-x64</RuntimeIdentifier>
|
Describe the bug
Every project I tried to build using the current Visual Studio Preview version throws this error. System.Private.Uri is not a directly included project. I also tried clearing all nuget data, but it didn't help. In the stable Visual Studio version it works.
To Reproduce
Exceptions (if any)
Further technical details
The text was updated successfully, but these errors were encountered: