We run dotnet list <Solution>.sln package --vulnerable --include-transitive --source https://api.nuget.org/v3/index.json nightly on our CI server to check wether we have a dependency on any vulnerable packages.

As of last tuesday, this fails due to CVE-2024-30105 and CVE-2024-38095.

Both of the vulnerable libraries (System.Text.Json and System.Formats.Asn1) are runtime libraries so we dont explicitly reference them as a Nuget Package. In fact we don’t even use System.Formats.Asn1 at all (its usage appears to be transitive via Microsoft.Extensions.Configuration.Xml)

I was under the impression that all we had to do was to update the runtime on our CI server and instruct our customer to do the same on their machines.

So we did the former but we still get

Project `------------------` has the following vulnerable packages
   [net8.0]:
   Transitive Package         Resolved   Severity   Advisory URL
   > System.Formats.Asn1      8.0.0      High       https://github.com/advisories/GHSA-447r-wph3-92pm

Why is it still resolving to 8.0.0 when dotnet --version gives me 8.0.303 which according to The release notes for 8.0.7 (sdk 8.0.303)

includes fixes for both vulnerabilities?

What am I doing wrong? What am i (still :'( ) not understanding about .NET dependencies??!