Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dotnet publish -r win10-x64 restores vulnerable package #29028

Closed
mattiaskagstrom opened this issue Nov 11, 2022 · 1 comment
Closed

dotnet publish -r win10-x64 restores vulnerable package #29028

mattiaskagstrom opened this issue Nov 11, 2022 · 1 comment
Labels
Area-NuGet untriaged Request triage from a team member

Comments

@mattiaskagstrom
Copy link

Describe the bug

My organization blocks downloads of packages with known vulnerabilities.
The application is buildable and publishable, ut as soon as you ad -r win10-x64 it tries to restore runtime.win7.System.Private.Uri/4.3.0.
The package is blocked due to: dotnet/announcements#112

Running sdk 6.0.x on the build agents, and 7.0.0 locally

To Reproduce

The app has this csproj:

<Project Sdk="Microsoft.NET.Sdk.Web">

	<PropertyGroup>
		<TargetFramework>net6.0</TargetFramework>
		<RollForward>LatestMinor</RollForward>
		<Nullable>enable</Nullable>
		<ImplicitUsings>enable</ImplicitUsings>
		<AspNetCoreHostingModel>InProcess</AspNetCoreHostingModel>
		<AspNetCoreModuleName>AspNetCoreModuleV2</AspNetCoreModuleName>
	</PropertyGroup>

	<ItemGroup>
		<PackageReference Include="Hangfire" Version="1.7.31" />
		<PackageReference Include="Microsoft.AspNetCore.Server.IIS" Version="2.2.6" />
		<PackageReference Include="Microsoft.EntityFrameworkCore" Version="7.0.0" />
		<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="7.0.0" />
		<PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="7.0.0">
		  <PrivateAssets>all</PrivateAssets>
		  <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
		</PackageReference>
		<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
		<PackageReference Include="NLog.Web.AspNetCore" Version="5.1.5" />
		<PackageReference Include="System.Data.SqlClient" Version="4.8.5" />
		<PackageReference Include="System.DirectoryServices.Protocols" Version="7.0.0" />
		<PackageReference Include="Trafikverket.PMSCore.Lib" Version="1.8.0.547" PrivateAssets="All" />
		<PackageReference Include="System.Text.Encodings.Web" Version="7.0.0" />
	</ItemGroup>
</Project>

#> dotnet publish -r win10-x64
MSBuild version 17.4.0+18d5aef85 for .NET
Determining projects to restore...
Failed to download package 'runtime.win7.System.Private.Uri.4.3.0' from 'https://********/nuget/Defa
ultSafe/package/runtime.win7.System.Private.Uri/4.3.0'.
Response status code does not indicate success: 400 (Bad Request).

Exceptions (if any)

Failed to download package 'runtime.win7.System.Private.Uri.4.3.0'

Further technical details

dotnet --info
.NET SDK:
Version: 7.0.100
Commit: e12b7af

Runtime Environment:
OS Name: Windows
OS Version: 10.0.19042
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\7.0.100\

Host:
Version: 7.0.0
Architecture: x64
Commit: d099f075e4

.NET SDKs installed:
5.0.102 [C:\Program Files\dotnet\sdk]
5.0.201 [C:\Program Files\dotnet\sdk]
5.0.202 [C:\Program Files\dotnet\sdk]
7.0.100 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
Microsoft.AspNetCore.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 6.0.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 7.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.10 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 6.0.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 7.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 3.1.22 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.4 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.17 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 6.0.10 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 6.0.11 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 7.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Other architectures found:
x86 [C:\Program Files (x86)\dotnet]
registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]

Environment variables:
Not set

global.json file:
Not found
@dotnet-issue-labeler dotnet-issue-labeler bot added Area-NuGet untriaged Request triage from a team member labels Nov 11, 2022
@ghost
Copy link

ghost commented Nov 11, 2022

Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!

If you believe this issue was closed out of error, please comment to let us know.

Happy Coding!

@ghost ghost closed this as completed Nov 11, 2022
@mattiaskagstrom mattiaskagstrom mentioned this issue Nov 11, 2022
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-NuGet untriaged Request triage from a team member
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mattiaskagstrom