NU1903 warning reported incorrectly for multi-targeted builds #50843
Description
Describe the bug
When you have a multi-targeted project and only one of the target frameworks has a reference to a vulnerable package, the NU1903 warning is being reported for all targets.
To Reproduce
Repro project: warning.zip
When you run dotnet build on the project, you get the following output:
F:\warning> dotnet build
Restore succeeded with 1 warning(s) in 0.7s
F:\warning\Warning.csproj : warning NU1903: Package 'System.Text.Json' 8.0.4 has a known high severity vulnerability, https://github.com/advisories/GHSA-8g4q-xg66-9fp4
info NETSDK1057: You are using a preview version of .NET. See: https://aka.ms/dotnet-support-policy
Warning net472 succeeded with 1 warning(s) (0.1s) → bin\Debug\net472\Warning.exe
F:\warning\Warning.csproj : warning NU1903: Package 'System.Text.Json' 8.0.4 has a known high severity vulnerability, https://github.com/advisories/GHSA-8g4q-xg66-9fp4
Warning net10.0 succeeded with 1 warning(s) (0.3s) → bin\Debug\net10.0\Warning.dll
F:\warning\Warning.csproj : warning NU1903: Package 'System.Text.Json' 8.0.4 has a known high severity vulnerability, https://github.com/advisories/GHSA-8g4q-xg66-9fp4
Build succeeded with 3 warning(s) in 1.2s
However, only the net472 project actually has a vulnerable reference. For net10.0, the vulnerable reference is being pruned away. You can see this both in the project.assets.json file:
"logs": [
{
"code": "NU1903",
"level": "Warning",
"warningLevel": 1,
"message": "Package 'System.Text.Json' 8.0.4 has a known high severity vulnerability, https://github.com/advisories/GHSA-8g4q-xg66-9fp4",
"libraryId": "System.Text.Json",
"targetGraphs": [
".NETFramework,Version=v4.7.2",
".NETFramework,Version=v4.7.2/win-x86"
]
}
]
and visualized in Visual Studio:
Further technical details
details of dotnet --info
.NET SDK: Version: 10.0.100-rc.1.25451.107 Commit: 2db1f5ee2b Workload version: 10.0.100-manifests.a6e8bec0 MSBuild version: 17.15.0-preview-25451-107+2db1f5ee2
Runtime Environment:
OS Name: Windows
OS Version: 10.0.26100
OS Platform: Windows
RID: win-x64
Base Path: C:\Program Files\dotnet\sdk\10.0.100-rc.1.25451.107\
.NET workloads installed:
There are no installed workloads to display.
Configured to use workload sets when installing new manifests.
No workload sets are installed. Run "dotnet workload restore" to install a workload set.
Host:
Version: 10.0.0-rc.1.25451.107
Architecture: x64
Commit: 2db1f5ee2b
.NET SDKs installed:
9.0.305 [C:\Program Files\dotnet\sdk]
10.0.100-rc.1.25451.107 [C:\Program Files\dotnet\sdk]
.NET runtimes installed:
Microsoft.AspNetCore.App 8.0.20 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 9.0.9 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 10.0.0-rc.1.25451.107 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 8.0.20 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 9.0.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 10.0.0-rc.1.25451.107 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 8.0.20 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 9.0.9 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 10.0.0-rc.1.25451.107 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Other architectures found:
x86 [C:\Program Files (x86)\dotnet]
registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]
Environment variables:
Not set
global.json file:
Not found
Learn more:
https://aka.ms/dotnet/info
Download .NET:
https://aka.ms/dotnet/download