[FP]: System.Threading.Tasks.Extensions

[Michiocre]

Package URl

pkg:nuget/[email protected]

CPE

cpe:2.3:a:tasks:tasks:4.6.0:::::::*

CVE

CVE-2020-22475

ODC Integration

None

ODC Version

12.0.0

Description

Description is talking about a Android App called Tasks from Tasks.org.

[github-actions]

Nuget Coordinates

dotnet add package System.Threading.Tasks.Extensions --version 4.6.0

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #7317
   ]]></notes>
   <packageUrl regex="true">^pkg:nuget/System\.Threading\.Tasks\.Extensions@.*$</packageUrl>
   <cpe>cpe:/a:tasks:tasks</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/12790462205

[aikebah]

From the report:

so no FP to be found

[Michiocre]

Strange, this is my report when running it using the Azure DevOps Pipeline Extension (would this make a difference).

[Michiocre]

I just read on a different issue that you dont directly support the Azure DevOps Pipeline, sorry for the confusion.

[aikebah]

Can you share the evidences that are in your report for the library?

Likely have something to do with additional evidences that are gathered in your scenario. Our FP pipeline has only evidences from msbuild analyzer.

[aikebah]

Devops pipeline as a plugin/pipeline tool is not something supported here, but under the hood the Azure Pipeline AFAIK is using the CLI to perform the scan.

[Michiocre]

Here the evidences.

[aikebah]

Hmmm... evidence-values (for your pipeline from packages config, in FP pipeline from msbuild) fully match up in type, name, value and confidence. No clue why there is a difference when the evidences are sourced from msbuild versus from packages.config

[aikebah]

Running locally I managed to reproduce the FP for both systems msbuild and packages.config
@jeremylong any clue on how this doesn't appear on our FP pipeline?

approved

[github-actions]

Suppress rule has been added to the generatedSuppressions branch.