Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Security warning/errors when restoring on net9preview #18019

Closed
nickrandolph opened this issue Aug 26, 2024 · 16 comments
Closed

[Bug] Security warning/errors when restoring on net9preview #18019

nickrandolph opened this issue Aug 26, 2024 · 16 comments
Assignees
Labels
kind/bug Something isn't working project/core-tools 🛠️ Categorizes an issue or PR as relevant to core and tools

Comments

@nickrandolph
Copy link
Contributor

Current behavior

Create new application using any of the template options
Update global.json to allow prerelease versions
Run dotnet restore

C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Formats.Asn1' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-447r-wph3-92pm
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-5f2m-466j-3848
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1902: Package 'System.Private.Uri' 4.3.0 has a known moderate severity vulnerability, https://github.com/advisories/GHSA-x5qj-9vmx-7g6g
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-xhfc-gr8f-ffwc
C:\temp\UnoApp15\UnoApp15\UnoApp15.csproj : warning NU1903: Package 'System.Text.Json' 8.0.0 has a known high severity vulnerability, https://github.com/advisories/GHSA-hh2w-p6rv-4g7w

Expected behavior

No security warnings/errors

How to reproduce it (as minimally and precisely as possible)

No response

Workaround

No response

Works on UWP/WinUI

None

Environment

No response

NuGet package version(s)

No response

Affected platforms

No response

IDE

No response

IDE version

No response

Relevant plugins

No response

Anything else we need to know?

No response

@nickrandolph nickrandolph added kind/bug Something isn't working triage/untriaged Indicates an issue requires triaging or verification difficulty/tbd Categorizes an issue for which the difficulty level needs to be defined. labels Aug 26, 2024
@Youssef1313
Copy link
Member

These are false positives from NuGet. NuGet/Home#13622

@MartinZikmund MartinZikmund added blocked/dependency Categorizes an issue as blocked due to another issue and removed triage/untriaged Indicates an issue requires triaging or verification difficulty/tbd Categorizes an issue for which the difficulty level needs to be defined. labels Aug 26, 2024
@Youssef1313
Copy link
Member

The possible options:

  1. <NuGetAuditMode>direct</NuGetAuditMode>: If we go this way, it should be only during .NET 9 previews. Once stable, we shouldn't do this. I mean, it could just be a temporary easy workaround until we see if NuGet will fix things up on their side.
  2. NuGetAuditSuppress MSBuild item: we could do this to specify specific advisories where we are sure it's a false positive.
  3. Add direct PackageReference with non-vulnerable versions to silence NuGet warnings.

@Youssef1313
Copy link
Member

The NuGet issue will not be fixed in .NET 9 stable

@Youssef1313
Copy link
Member

@jeromelaban Do you have a preference on what we should do here?

@jeromelaban
Copy link
Member

There's no good way for fixing this. All modes are causing trouble. We'll need to fix this in multiple locations, or workaround in multiple locations and this is going to either be a security risk, or very verbose change to the default templates.

@MrYossu
Copy link

MrYossu commented Nov 13, 2024

.NET9 now in general release and this error swamps the output. I'm getting this...

warning NU1903: Package 'System.Private.Uri' 4.3.0 has a known high severity vulnerability

What should we do about it? The description for that package on Nuget explicitly says not to reference it directly.

Please advise what we are supposed to do. Thanks.

@jeromelaban
Copy link
Member

Please advise what we are supposed to do. Thanks.

At this time, the only possible option is to explicitly install those packages in your app. We're working to determine which dependencies are pulling those references in order to avoid these errors in the templates.

@MrYossu
Copy link

MrYossu commented Nov 18, 2024

@jeromelaban OK, thanks. Just seems wrong to install packages you aren't directly using, especially ones whose descriptions say they aren't meant for direct use, just to avoid spurious warnings.

@jeromelaban jeromelaban added project/core-tools 🛠️ Categorizes an issue or PR as relevant to core and tools and removed blocked/dependency Categorizes an issue as blocked due to another issue labels Nov 18, 2024
@jeromelaban jeromelaban self-assigned this Nov 18, 2024
@jeromelaban
Copy link
Member

Looking further into this issue, this is only happening on net8.0*, where Uno depends on the following packages:

  • System.Numerics.Vectors
  • System.Runtime.InteropServices.WindowsRuntime
  • System.Memory
  • System.Collections.Immutable

Those dependencies have been removed in Uno for net9.0 where the warnings do not show up anymore. We will not be changing net8.0 dependencies to avoid introducing unnecessary breaking changes.

To fix this behavior, there are three possible paths:

  • Update your projects to net9.0
  • Force an 8.0.x sdk version in global.json, and disable the version roll forward
  • Force an explicit reference to the offending packages to their non-vulnerable versions

Note that the new dotnet nuget why command does not help for some packages like System.Private.Uri because of NuGet/Home#13718.

@MrYossu
Copy link

MrYossu commented Nov 18, 2024

@jeromelaban Sorry to argue, but this is happening to me on a brand new .net9 solution (ie not upgraded from .net8) where there is a dependency on System.Private.Uri

@jeromelaban
Copy link
Member

jeromelaban commented Nov 19, 2024

@MrYossu could you provide the settings you used to create your solution? As well as a binlog?

@MrYossu
Copy link

MrYossu commented Nov 19, 2024

@jeromelaban Not sure what you mean by settings, but I just realised why you mentioned Uno earlier. I came to this discussion from Google, and didn't spot that it's on the Uno repo. I had been reading so many on the dotnet repo and thought this was another!

I'm not using Uno, and so my comments here are probably irrelevant. As far as I can see, the problem is an underlying .NET/VS issue, so should be discussed in a repo more relevant.

Sorry for the confusion!

@jeromelaban
Copy link
Member

No problem, thanks for the update. You may want to start a discussion with the package owners that you use in your solution.

@DevTKSS
Copy link
Contributor

DevTKSS commented Nov 21, 2024

@jeromelaban I did made just the same (created a new uno app) like he told, after the new .net version came out and got greeted with issues... so when creating that one from scratch new, that issue should not happen? Because I did it with different settings and seems like its mainly the apps with server or mauiembedding choosen on my side.
its the refit and the maui which seems to be pointing to the 9.0-rc instead of 9.0 full release. created with the wizard in vs 2022 community edition
setup: blanc, xaml, mvux, Navigation, configuration, http, server, maui embedded, material, theme, dsp, debugging: default, auth: custom

hope I got all of the config and it will help you
Screenshot 2024-11-21 181456
Screenshot 2024-11-21 181533

@jeromelaban
Copy link
Member

@DevTKSS we're still updating the bits for net9 stable, it should be updated soon.

@DevTKSS
Copy link
Contributor

DevTKSS commented Nov 21, 2024

@jeromelaban thank you 👍 just wanted to make sure you know about them. I am not hurrying. Take the time you need for great things :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Something isn't working project/core-tools 🛠️ Categorizes an issue or PR as relevant to core and tools
Projects
None yet
Development

No branches or pull requests

6 participants