You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Everybody lists transitive pinning as the solution for package with vulnerabilities, so I guess most folks use this as a way to mitigate vulnerabilities.
What nobody asks is, what about vulnerabilities found in framework assemblies?
The problem that I keep encountering is that we have a .NET 8 web app, up-to-date regarding NuGet packages, that somehow has System.Text.RegularExpressions 4.3.0 (e.g.) as a transitive dependency (observed in the dependency tree). Now, this is a well-known vulnerable package.
However, on the CI pipeline we build this targeting .NET 8 with an up-to-date SDK version and we build it framework-dependent and deploy on Azure.
The unfortunate thing is that afterwards, analyzers like mend.io complain about this vulnerability but I don't think it really exists. Being a framework-dependent build, there's no actual System.Text.RegularExpressions assembly in the build output as it is a framework one, and in Azure or wherever it is run, it will actually load a version deployed by the .NET runtime which is of course recent and not vulnerable.
My assumption is that even if we build self-contained, the version of the assembly contained in the package would be from the recent .NET SDK, not 4.3.0.
So then, is transitive pinning for framework assemblies useful in any way (except making mend.io shut up) or is this actually useful only for 3rd party assemblies?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Everybody lists transitive pinning as the solution for package with vulnerabilities, so I guess most folks use this as a way to mitigate vulnerabilities.
What nobody asks is, what about vulnerabilities found in framework assemblies?
The problem that I keep encountering is that we have a .NET 8 web app, up-to-date regarding NuGet packages, that somehow has System.Text.RegularExpressions 4.3.0 (e.g.) as a transitive dependency (observed in the dependency tree). Now, this is a well-known vulnerable package.
However, on the CI pipeline we build this targeting .NET 8 with an up-to-date SDK version and we build it framework-dependent and deploy on Azure.
The unfortunate thing is that afterwards, analyzers like mend.io complain about this vulnerability but I don't think it really exists. Being a framework-dependent build, there's no actual System.Text.RegularExpressions assembly in the build output as it is a framework one, and in Azure or wherever it is run, it will actually load a version deployed by the .NET runtime which is of course recent and not vulnerable.
My assumption is that even if we build self-contained, the version of the assembly contained in the package would be from the recent .NET SDK, not 4.3.0.
So then, is transitive pinning for framework assemblies useful in any way (except making mend.io shut up) or is this actually useful only for 3rd party assemblies?
Beta Was this translation helpful? Give feedback.
All reactions