We run dotnet list <Solution>.sln package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.json
nightly on our CI server to check wether we have a dependency on any vulnerable packages.
As of last tuesday, this fails due to CVE-2024-30105 and CVE-2024-38095.
Both of the vulnerable libraries (System.Text.Json and System.Formats.Asn1) are runtime libraries so we dont explicitly reference them as a Nuget Package. In fact we don’t even use System.Formats.Asn1 at all (its usage appears to be transitive via Microsoft.Extensions.Configuration.Xml)
I was under the impression that all we had to do was to update the runtime on our CI server and instruct our customer to do the same on their machines.
So we did the former but we still get
Project `------------------` has the following vulnerable packages
[net8.0]:
Transitive Package Resolved Severity Advisory URL
> System.Formats.Asn1 8.0.0 High https://github.com/advisories/GHSA-447r-wph3-92pm
Why is it still resolving to 8.0.0 when dotnet --version
gives me 8.0.303
which according to The release notes for 8.0.7 (sdk 8.0.303)
includes fixes for both vulnerabilities?
What am I doing wrong? What am i (still :'( ) not understanding about .NET dependencies??!